3392432 – There is a heap-buffer-overflow on address 0x60300000c4d2 in nasm.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

Bug 3392432 - There is a heap-buffer-overflow on address 0x60300000c4d2 in nasm.

Summary: There is a heap-buffer-overflow on address 0x60300000c4d2 in nasm.

Status:	CLOSED FIXED

Alias:	None

Product:	NASM
Classification:	Unclassified
Component:	Assembler (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	Medium blocker
Assignee:	nobody

URL:

Depends on:
Blocks:

Reported:	2017-08-28 04:17 PDT by owl337
Modified:	2017-11-25 10:00 PST (History)
CC List:	3 users (show)

Obtained from:	Binary from nasm.us
Generated by:	---
Bug category:
Breaks existing code:	---

Attachments
./nasm -f bin POC12 -o tmp (655 bytes, application/x-rar) 2017-08-28 04:17 PDT, owl337	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description owl337 2017-08-28 04:17:24 PDT

Created attachment 411610 [details]
./nasm -f bin  POC12 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC12 -o tmp 
id:000335,sig:06,src:004190,op:havoc,rep:128:4: warning: label alone on a line without a colon might be in error [-w+orphan-labels]
id:000335,sig:06,src:004190,op:havoc,rep:128:6: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:8: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:9: error: unknown preprocessor directive `%mmcro'
id:000335,sig:06,src:004190,op:havoc,rep:128:9: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:11: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:13: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:14: warning: label alone on a line without a colon might be in error [-w+orphan-labels]
id:000335,sig:06,src:004190,op:havoc,rep:128:16: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:17: error: unknown preprocessor directive `%mm'
id:000335,sig:06,src:004190,op:havoc,rep:128:17: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:18: error: parser: instruction expected
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: unknown preprocessor directive `%eQdmacro'
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:21: error: parser: instruction expected
id:000335,sig:06,src:004190,op:havoc,rep:128:23: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:24: error: parser: instruction expected
id:000335,sig:06,src:004190,op:havoc,rep:128:26: error: `%1': not in a macro call
*** Error in `./../../../nasm': free(): invalid next size (fast): 0x0000000001376ab0 ***
Aborted


The GDB debugging information is as follows:

(gdb)set args -f bin  POC12 -o tmp
(gdb) r 
The program being debugged has been started already.
...
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:21: error: parser: instruction expected
id:000335,sig:06,src:004190,op:havoc,rep:128:23: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:24: error: parser: instruction expected
id:000335,sig:06,src:004190,op:havoc,rep:128:26: error: `%1': not in a macro call
*** Error in `/home/company/check_nasm/nasm-2.14rc0/install/bin/nasm': free(): invalid next size (fast): 0x00000000007c0ab0 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7a44267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

ASAN info:
(gdb) r 
Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm -f bin  id:000335,sig:06,src:004190,op:havoc,rep:128 -o tmp 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 6, paste_tokens (head=0x7fffffffd8f0, m=<optimized out>, mnum=<optimized out>, 
    handle_explicit=<optimized out>) at asm/preproc.c:3849
3849	                    strcpy(p, tok->text);
(gdb) c 61 
Will ignore next 60 crossings of breakpoint 6.  Continuing.
id:000335,sig:06,src:004190,op:havoc,rep:128:4: warning: label alone on a line without a colon might be in error [-w+orphan-labels]
id:000335,sig:06,src:004190,op:havoc,rep:128:6: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:8: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:9: error: unknown preprocessor directive `%mmcro'
id:000335,sig:06,src:004190,op:havoc,rep:128:9: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:11: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:13: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:14: warning: label alone on a line without a colon might be in error [-w+orphan-labels]
id:000335,sig:06,src:004190,op:havoc,rep:128:16: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:17: error: unknown preprocessor directive `%mm'
id:000335,sig:06,src:004190,op:havoc,rep:128:17: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:18: error: parser: instruction expected
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: unknown preprocessor directive `%eQdmacro'
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:21: error: parser: instruction expected
id:000335,sig:06,src:004190,op:havoc,rep:128:23: error: label or instruction expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:24: error: parser: instruction expected
id:000335,sig:06,src:004190,op:havoc,rep:128:26: error: `%1': not in a macro call

Breakpoint 6, paste_tokens (head=0x7fffffffde10, m=<optimized out>, mnum=<optimized out>, 
    handle_explicit=<optimized out>) at asm/preproc.c:3849
3849	                    strcpy(p, tok->text);
(gdb) bt 
#0  paste_tokens (head=0x7fffffffd8f0, m=<optimized out>, mnum=<optimized out>, handle_explicit=<optimized out>)
    at asm/preproc.c:3849
#1  0x0000000000571664 in expand_smacro (tline=<optimized out>) at asm/preproc.c:4475
#2  0x0000000000587a82 in parse_mmacro_spec (tline=<optimized out>, def=<optimized out>, directive=<optimized out>)
    at asm/preproc.c:2141
#3  0x0000000000545641 in do_directive (tline=<optimized out>, output=<optimized out>) at asm/preproc.c:2872
#4  0x000000000051be1b in pp_getline () at asm/preproc.c:5172
#5  0x0000000000483517 in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233
#6  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) n
=================================================================
==70709==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000c4d2 at pc 0x459760 bp 0x7fffffffdd40 sp 0x7fffffffd4f8
WRITE of size 2 at 0x60300000c4d2 thread T0
==70709==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x45975f (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x45975f)
    #1 0x57906a (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x57906a)
    #2 0x53765b (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x53765b)
    #3 0x51bd81 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51bd81)
    #4 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #5 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #6 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

0x60300000c4d2 is located 0 bytes to the right of 18-byte region [0x60300000c4c0,0x60300000c4d2)
allocated by thread T0 here:
    #0 0x4686f9 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
    #1 0x49b6a8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c067fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9890: fa fa fa fa fa fa fa fa 00 00[02]fa fa fa fd fd
  0x0c067fff98a0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff98b0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff98c0: fa fa 00 00 02 fa fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff98d0: 02 fa fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x0c067fff98e0: 00 00 01 fa fa fa 00 00 00 00 fa fa 00 00 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==70709==ABORTING
[Inferior 1 (process 70709) exited with code 01]


The bug was trigged in:

paste_tokens (head=0x7fffffffd8f0, m=<optimized out>, mnum=<optimized out>, 
    handle_explicit=<optimized out>) at asm/preproc.c:3849
3849	                    strcpy(p, tok->text);



Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Cyrill Gorcunov 2017-11-25 10:00:52 PST

No longer triggers with upcoming 2.13.02 (will be released soon).