Created attachment 411613 [details] ./nasm -f bin POC15 -o tmp Description: The debugging information is as follows: $ ./nasm -f bin POC15 -o tmp id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined here id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined here id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results id:000291,sig:11,src:003187,op:havoc,rep:8:17: ... from macro `b_struc' defined here id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%1': not in a macro call id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%$arg': context stack is empty id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: minimum parameter count exceeds maximum Segmentation fault The GDB debugging information is as follows: (gdb) set args -f bin POC15 -o tmp (gdb) r Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm -f bin id:000291,sig:11,src:003187,op:havoc,rep:8 -o tmp [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined here id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined here id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results id:000291,sig:11,src:003187,op:havoc,rep:8:17: ... from macro `b_struc' defined here id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%1': not in a macro call id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%$arg': context stack is empty id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: minimum parameter count exceeds maximum Program received signal SIGSEGV, Segmentation fault. 0x0000000000574f0a in is_mmacro (tline=<optimized out>, params_array=<optimized out>) at asm/preproc.c:4645 4645 params[nparam] = NULL; (gdb) bt #0 0x0000000000574f0a in is_mmacro (tline=<optimized out>, params_array=<optimized out>) at asm/preproc.c:4645 #1 0x000000000051d44d in expand_mmacro (tline=0x7ffff7f5b380) at asm/preproc.c:4756 #2 pp_getline () at asm/preproc.c:5211 #3 0x0000000000483517 in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233 #4 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453 (gdb) c Continuing. ASAN:SIGSEGV ================================================================= ==107477==ERROR: AddressSanitizer: SEGV on unknown address 0x601f7af45248 (pc 0x000000574f0a sp 0x7fffffffde30 bp 0x7fffffffded0 T0) ==107477==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x574f09 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x574f09) #1 0x51d44c (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51d44c) #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #4 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==107477==ABORTING [Inferior 1 (process 107477) exited with code 01] (gdb) Tirgged in: is_mmacro (tline=<optimized out>, params_array=<optimized out>) at asm/preproc.c:4645 4645 params[nparam] = NULL; (gdb) list 4640 */ 4641 if (!params) { /* need this special case */ 4642 params = nasm_malloc(sizeof(*params)); 4643 nparam = 0; 4644 } 4645 params[nparam] = NULL; 4646 *params_array = params; 4647 return m; 4648 } 4649 /* Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
commit c9244eaadd05b27637cde06021bac3fa1d920aa3 Author: Cyrill Gorcunov <gorcunov@gmail.com> Date: Sun Oct 22 15:25:48 2017 +0300 prepoc: mmacro -- Don't left nparam_max less than nparam_min Otherwise we hit nil dereference in best case. https://bugzilla.nasm.us/show_bug.cgi?id=3392436 Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> --- Thanks a lot for report.