3392436 – There is an illegal address access in function is_mmacro() of nasm.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

Bug 3392436 - There is an illegal address access in function is_mmacro() of nasm.

Summary: There is an illegal address access in function is_mmacro() of nasm.

Status:	CLOSED FIXED

Alias:	None

Product:	NASM
Classification:	Unclassified
Component:	Assembler (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	Medium blocker
Assignee:	Cyrill Gorcunov

URL:

Depends on:
Blocks:

Reported:	2017-08-28 04:25 PDT by owl337
Modified:	2017-10-22 08:26 PDT (History)
CC List:	3 users (show)

Obtained from:	Binary from nasm.us
Generated by:	---
Bug category:
Breaks existing code:	---

Attachments
./nasm -f bin POC15 -o tmp (623 bytes, application/x-rar) 2017-08-28 04:25 PDT, owl337	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description owl337 2017-08-28 04:25:47 PDT

Created attachment 411613 [details]
./nasm -f bin  POC15 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC15 -o tmp
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:17: ... from macro `b_struc' defined here
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%1': not in a macro call
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%$arg': context stack is empty
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: minimum parameter count exceeds maximum
Segmentation fault


The GDB debugging information is as follows:

(gdb) set args  -f bin  POC15 -o tmp
(gdb) r 
Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm -f bin  id:000291,sig:11,src:003187,op:havoc,rep:8 -o tmp 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:17: ... from macro `b_struc' defined here
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%1': not in a macro call
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%$arg': context stack is empty
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: minimum parameter count exceeds maximum

Program received signal SIGSEGV, Segmentation fault.
0x0000000000574f0a in is_mmacro (tline=<optimized out>, params_array=<optimized out>) at asm/preproc.c:4645
4645	            params[nparam] = NULL;
(gdb) bt 
#0  0x0000000000574f0a in is_mmacro (tline=<optimized out>, params_array=<optimized out>) at asm/preproc.c:4645
#1  0x000000000051d44d in expand_mmacro (tline=0x7ffff7f5b380) at asm/preproc.c:4756
#2  pp_getline () at asm/preproc.c:5211
#3  0x0000000000483517 in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233
#4  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==107477==ERROR: AddressSanitizer: SEGV on unknown address 0x601f7af45248 (pc 0x000000574f0a sp 0x7fffffffde30 bp 0x7fffffffded0 T0)
==107477==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x574f09 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x574f09)
    #1 0x51d44c (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51d44c)
    #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==107477==ABORTING
[Inferior 1 (process 107477) exited with code 01]
(gdb) 


Tirgged in: 
is_mmacro (tline=<optimized out>, params_array=<optimized out>) at asm/preproc.c:4645
4645	            params[nparam] = NULL;
(gdb) list 
4640	             */
4641	            if (!params) {      /* need this special case */
4642	                params = nasm_malloc(sizeof(*params));
4643	                nparam = 0;
4644	            }
4645	            params[nparam] = NULL;
4646	            *params_array = params;
4647	            return m;
4648	        }
4649	        /*



Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Cyrill Gorcunov 2017-10-22 08:26:35 PDT

commit c9244eaadd05b27637cde06021bac3fa1d920aa3
Author: Cyrill Gorcunov <gorcunov@gmail.com>
Date:   Sun Oct 22 15:25:48 2017 +0300

    prepoc: mmacro -- Don't left nparam_max less than nparam_min
    
    Otherwise we hit nil dereference in best case.
    
    https://bugzilla.nasm.us/show_bug.cgi?id=3392436
    
    Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
---

Thanks a lot for report.