Created attachment 411608 [details]
./nasm -f bin  POC10 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC10 -o tmp 
...
id:000538,sig:11,src:007218,op:havoc,rep:8:68: error: (b_struc:8) macro params should be enclosed in braces
id:000538,sig:11,src:007218,op:havoc,rep:8:62: ... from macro `pp_local' defined here
id:000538,sig:11,src:007218,op:havoc,rep:8:16: ... from macro `b_struc' defined here
id:000538,sig:11,src:007218,op:havoc,rep:8:68: warning: (b_struc:8) trailing garbage after expression ignored
id:000538,sig:11,src:007218,op:havoc,rep:8:62: ... from macro `pp_local' defined here
id:000538,sig:11,src:007218,op:havoc,rep:8:16: ... from macro `b_struc' defined here
Segmentation fault


The GDB debugging information is as follows:

(gdb) set args -f bin POC10 -o tmp 
(gdb) r 
Starting program: /home/company/check_nasm/nasm-2.14rc0/install/bin/nasm -f bin  id:000538,sig:11,src:007218,op:havoc,rep:8 -o tmp 
id:000538,sig:11,src:007218,op:havoc,rep:8:68: warning: (b_struc:8) trailing garbage after expression ignored
id:000538,sig:11,src:007218,op:havoc,rep:8:62: ... from macro `pp_local' defined here
id:000538,sig:11,src:007218,op:havoc,rep:8:16: ... from macro `b_struc' defined here

Program received signal SIGSEGV, Segmentation fault.
0x000000000042ee8d in do_directive (tline=<optimized out>, output=<optimized out>) at asm/preproc.c:2992
2992	        while (mmac && !mmac->name)     /* avoid mistaking %reps for macros */
(gdb) bt 
#0  0x000000000042ee8d in do_directive (tline=<optimized out>, output=<optimized out>) at asm/preproc.c:2992
#1  0x0000000000423a6e in pp_getline () at asm/preproc.c:5172
#2  0x000000000040368d in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233
#3  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) 

ASAN info:

=================================================================
==91204==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000cf80 at pc 0x54f397 bp 0x7fffffffdac0 sp 0x7fffffffdab8
READ of size 8 at 0x60f00000cf80 thread T0
==91204==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x54f396 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x54f396)
    #1 0x51be1a (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a)
    #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

0x60f00000cf80 is located 16 bytes inside of 176-byte region [0x60f00000cf70,0x60f00000d020)
freed by thread T0 here:
    #0 0x468579 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579)
    #1 0x49c2bd (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd)
    #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x4686f9 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
    #1 0x49b6a8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
    #2 0x51be1a (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a)
    #3 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c1e7fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff99d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff99e0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fd fd
=>0x0c1e7fff99f0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9a00: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1e7fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9a20: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c1e7fff9a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9a40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==91204==ABORTING
[Inferior 1 (process 91204) exited with code 01]


The bug was trigged in:
do_directive (tline=<optimized out>, output=<optimized out>) at asm/preproc.c:2992
2992	        while (mmac && !mmac->name)     /* avoid mistaking %reps for macros */

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.