3392429 – There is a heap-use-after-free on address 0x60f00000d568 in nasm.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

Bug 3392429 - There is a heap-use-after-free on address 0x60f00000d568 in nasm.

Summary: There is a heap-use-after-free on address 0x60f00000d568 in nasm.

Status:	CLOSED FIXED

Alias:	None

Product:	NASM
Classification:	Unclassified
Component:	Assembler (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	Medium blocker
Assignee:	nobody

URL:

Depends on:
Blocks:

Reported:	2017-08-28 04:12 PDT by owl337
Modified:	2017-11-25 09:59 PST (History)
CC List:	3 users (show)

Obtained from:	Binary from nasm.us
Generated by:	---
Bug category:
Breaks existing code:	---

Attachments
./nasm -f bin POC9 -o tmp (609 bytes, application/x-rar) 2017-08-28 04:12 PDT, owl337	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description owl337 2017-08-28 04:12:26 PDT

Created attachment 411607 [details]
./nasm -f bin  POC9 -o tmp

The debugging information is as follows:

$ ./nasm -f bin  POC9 -o tmp 
id:000532,sig:11,src:007319,op:havoc,rep:64:1: error: label or instruction expected at start of line
id:000532,sig:11,src:007319,op:havoc,rep:64:3: error: label or instruction expected at start of line
id:000532,sig:11,src:007319,op:havoc,rep:64:4: error: parser: instruction expected
id:000532,sig:11,src:007319,op:havoc,rep:64:5: error: `%endmacro': not defining a macro
id:000532,sig:11,src:007319,op:havoc,rep:64:7: error: parser: instruction expected
id:000532,sig:11,src:007319,op:havoc,rep:64:9: error: parser: instruction expected
id:000532,sig:11,src:007319,op:havoc,rep:64:10: error: `%5': not in a macro call
id:000532,sig:11,src:007319,op:havoc,rep:64:10: warning: trailing garbage after expression ignored
id:000532,sig:11,src:007319,op:havoc,rep:64:20: error: `%endm': not defining a macro
id:000532,sig:11,src:007319,op:havoc,rep:64:22: warning: unterminated string
id:000532,sig:11,src:007319,op:havoc,rep:64:26: warning: label alone on a line without a colon might be in error [-w+orphan-labels]
id:000532,sig:11,src:007319,op:havoc,rep:64:26: error: `%5': not in a macro call
id:000532,sig:11,src:007319,op:havoc,rep:64:42: warning: label alone on a line without a colon might be in error [-w+orphan-labels]
Segmentation fault


The GDB debugging information is as follows:

(gdb)set args -f bin  POC9 -o tmp
(gdb) r 
Starting program: /home/company/check_nasm/nasm-2.14rc0/install/bin/nasm -f bin  id:000532,sig:11,src:007319,op:havoc,rep:64 -o tmp
id:000532,sig:11,src:007319,op:havoc,rep:64:1: error: label or instruction expected at start of line
id:000532,sig:11,src:007319,op:havoc,rep:64:3: error: label or instruction expected at start of line
id:000532,sig:11,src:007319,op:havoc,rep:64:4: error: parser: instruction expected
id:000532,sig:11,src:007319,op:havoc,rep:64:5: error: `%endmacro': not defining a macro
id:000532,sig:11,src:007319,op:havoc,rep:64:7: error: parser: instruction expected
id:000532,sig:11,src:007319,op:havoc,rep:64:9: error: parser: instruction expected
id:000532,sig:11,src:007319,op:havoc,rep:64:10: error: `%5': not in a macro call
id:000532,sig:11,src:007319,op:havoc,rep:64:10: warning: trailing garbage after expression ignored
id:000532,sig:11,src:007319,op:havoc,rep:64:20: error: `%endm': not defining a macro
id:000532,sig:11,src:007319,op:havoc,rep:64:22: warning: unterminated string
id:000532,sig:11,src:007319,op:havoc,rep:64:26: warning: label alone on a line without a colon might be in error [-w+orphan-labels]
id:000532,sig:11,src:007319,op:havoc,rep:64:26: error: `%5': not in a macro call
id:000532,sig:11,src:007319,op:havoc,rep:64:42: warning: label alone on a line without a colon might be in error [-w+orphan-labels]

Program received signal SIGSEGV, Segmentation fault.
0x0000000000425e54 in pp_list_one_macro (m=0x21, severity=17729) at asm/preproc.c:5389
5389	    pp_list_one_macro(m->next_active, severity);
(gdb) bt 
#0  0x0000000000425e54 in pp_list_one_macro (m=0x21, severity=17729) at asm/preproc.c:5389
#1  0x0000000000425e60 in pp_list_one_macro (m=0x7c7290, severity=17729) at asm/preproc.c:5389
#2  0x0000000000425e60 in pp_list_one_macro (m=0x7c8320, severity=17729) at asm/preproc.c:5389
#3  0x0000000000425dce in pp_error_list_macros (severity=<optimized out>) at asm/preproc.c:5406
#4  0x00000000004066ec in nasm_verror_common (severity=16449, fmt=<optimized out>, args=<optimized out>)
    at asm/nasm.c:1665
#5  0x0000000000405158 in nasm_verror_gnu (severity=16449, 
    fmt=0x4a869f "label alone on a line without a colon might be in error", ap=0x7fffffffdfa0) at asm/nasm.c:1508
#6  0x000000000040d8c3 in nasm_error (severity=<error reading variable: Value out of range.>, 
    fmt=0x4541 <error: Cannot access memory at address 0x4541>) at asm/error.c:86
#7  0x000000000041d521 in parse_line (pass=<optimized out>, buffer=0x7d0230 "st", result=0x7fffffffe268, 
    ldef=0x41c300 <define_label>) at asm/parser.c:474
#8  0x00000000004036fb in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1245
#9  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) 


ASAN info:
=================================================================
==49024==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000d568 at pc 0x527e12 bp 0x7fffffffd690 sp 0x7fffffffd688
READ of size 8 at 0x60f00000d568 thread T0
==49024==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x527e11 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x527e11)
    #1 0x527b11 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x527b11)
    #2 0x527830 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x527830)
    #3 0x491fe0 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x491fe0)
    #4 0x48c3f4 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x48c3f4)
    #5 0x4b42df (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4b42df)
    #6 0x5007a1 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5007a1)
    #7 0x483660 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483660)
    #8 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #9 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

0x60f00000d568 is located 88 bytes inside of 176-byte region [0x60f00000d510,0x60f00000d5c0)
freed by thread T0 here:
    #0 0x468579 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579)
    #1 0x49c2bd (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd)
    #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x4686f9 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
    #1 0x49b6a8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
    #2 0x51be1a (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a)
    #3 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c1e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9a90: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c1e7fff9aa0: fa fa fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c1e7fff9ab0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1e7fff9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9ad0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
  0x0c1e7fff9ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9af0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==49024==ABORTING
[Inferior 1 (process 49024) exited with code 01]



The bug was trigged in:
pp_list_one_macro (m=0x21, severity=17729) at asm/preproc.c:5389
5389	    pp_list_one_macro(m->next_active, severity);



Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Cyrill Gorcunov 2017-11-25 09:59:26 PST

No longer triggers with upcoming 2.13.02 (will be released soon).