Created attachment 411608 [details] ./nasm -f bin POC10 -o tmp Description: The debugging information is as follows: $ ./nasm -f bin POC10 -o tmp ... id:000538,sig:11,src:007218,op:havoc,rep:8:68: error: (b_struc:8) macro params should be enclosed in braces id:000538,sig:11,src:007218,op:havoc,rep:8:62: ... from macro `pp_local' defined here id:000538,sig:11,src:007218,op:havoc,rep:8:16: ... from macro `b_struc' defined here id:000538,sig:11,src:007218,op:havoc,rep:8:68: warning: (b_struc:8) trailing garbage after expression ignored id:000538,sig:11,src:007218,op:havoc,rep:8:62: ... from macro `pp_local' defined here id:000538,sig:11,src:007218,op:havoc,rep:8:16: ... from macro `b_struc' defined here Segmentation fault The GDB debugging information is as follows: (gdb) set args -f bin POC10 -o tmp (gdb) r Starting program: /home/company/check_nasm/nasm-2.14rc0/install/bin/nasm -f bin id:000538,sig:11,src:007218,op:havoc,rep:8 -o tmp id:000538,sig:11,src:007218,op:havoc,rep:8:68: warning: (b_struc:8) trailing garbage after expression ignored id:000538,sig:11,src:007218,op:havoc,rep:8:62: ... from macro `pp_local' defined here id:000538,sig:11,src:007218,op:havoc,rep:8:16: ... from macro `b_struc' defined here Program received signal SIGSEGV, Segmentation fault. 0x000000000042ee8d in do_directive (tline=<optimized out>, output=<optimized out>) at asm/preproc.c:2992 2992 while (mmac && !mmac->name) /* avoid mistaking %reps for macros */ (gdb) bt #0 0x000000000042ee8d in do_directive (tline=<optimized out>, output=<optimized out>) at asm/preproc.c:2992 #1 0x0000000000423a6e in pp_getline () at asm/preproc.c:5172 #2 0x000000000040368d in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233 #3 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453 (gdb) ASAN info: ================================================================= ==91204==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000cf80 at pc 0x54f397 bp 0x7fffffffdac0 sp 0x7fffffffdab8 READ of size 8 at 0x60f00000cf80 thread T0 ==91204==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x54f396 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x54f396) #1 0x51be1a (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a) #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #4 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8) 0x60f00000cf80 is located 16 bytes inside of 176-byte region [0x60f00000cf70,0x60f00000d020) freed by thread T0 here: #0 0x468579 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579) #1 0x49c2bd (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd) #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) previously allocated by thread T0 here: #0 0x4686f9 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9) #1 0x49b6a8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8) #2 0x51be1a (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a) #3 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ?? Shadow bytes around the buggy address: 0x0c1e7fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff99d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff99e0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fd fd =>0x0c1e7fff99f0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e7fff9a00: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00 0x0c1e7fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff9a20: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00 0x0c1e7fff9a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff9a40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==91204==ABORTING [Inferior 1 (process 91204) exited with code 01] The bug was trigged in: do_directive (tline=<optimized out>, output=<optimized out>) at asm/preproc.c:2992 2992 while (mmac && !mmac->name) /* avoid mistaking %reps for macros */ Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
No longer triggers with upcoming 2.13.02 (will be released soon).