Created attachment 411607 [details] ./nasm -f bin POC9 -o tmp The debugging information is as follows: $ ./nasm -f bin POC9 -o tmp id:000532,sig:11,src:007319,op:havoc,rep:64:1: error: label or instruction expected at start of line id:000532,sig:11,src:007319,op:havoc,rep:64:3: error: label or instruction expected at start of line id:000532,sig:11,src:007319,op:havoc,rep:64:4: error: parser: instruction expected id:000532,sig:11,src:007319,op:havoc,rep:64:5: error: `%endmacro': not defining a macro id:000532,sig:11,src:007319,op:havoc,rep:64:7: error: parser: instruction expected id:000532,sig:11,src:007319,op:havoc,rep:64:9: error: parser: instruction expected id:000532,sig:11,src:007319,op:havoc,rep:64:10: error: `%5': not in a macro call id:000532,sig:11,src:007319,op:havoc,rep:64:10: warning: trailing garbage after expression ignored id:000532,sig:11,src:007319,op:havoc,rep:64:20: error: `%endm': not defining a macro id:000532,sig:11,src:007319,op:havoc,rep:64:22: warning: unterminated string id:000532,sig:11,src:007319,op:havoc,rep:64:26: warning: label alone on a line without a colon might be in error [-w+orphan-labels] id:000532,sig:11,src:007319,op:havoc,rep:64:26: error: `%5': not in a macro call id:000532,sig:11,src:007319,op:havoc,rep:64:42: warning: label alone on a line without a colon might be in error [-w+orphan-labels] Segmentation fault The GDB debugging information is as follows: (gdb)set args -f bin POC9 -o tmp (gdb) r Starting program: /home/company/check_nasm/nasm-2.14rc0/install/bin/nasm -f bin id:000532,sig:11,src:007319,op:havoc,rep:64 -o tmp id:000532,sig:11,src:007319,op:havoc,rep:64:1: error: label or instruction expected at start of line id:000532,sig:11,src:007319,op:havoc,rep:64:3: error: label or instruction expected at start of line id:000532,sig:11,src:007319,op:havoc,rep:64:4: error: parser: instruction expected id:000532,sig:11,src:007319,op:havoc,rep:64:5: error: `%endmacro': not defining a macro id:000532,sig:11,src:007319,op:havoc,rep:64:7: error: parser: instruction expected id:000532,sig:11,src:007319,op:havoc,rep:64:9: error: parser: instruction expected id:000532,sig:11,src:007319,op:havoc,rep:64:10: error: `%5': not in a macro call id:000532,sig:11,src:007319,op:havoc,rep:64:10: warning: trailing garbage after expression ignored id:000532,sig:11,src:007319,op:havoc,rep:64:20: error: `%endm': not defining a macro id:000532,sig:11,src:007319,op:havoc,rep:64:22: warning: unterminated string id:000532,sig:11,src:007319,op:havoc,rep:64:26: warning: label alone on a line without a colon might be in error [-w+orphan-labels] id:000532,sig:11,src:007319,op:havoc,rep:64:26: error: `%5': not in a macro call id:000532,sig:11,src:007319,op:havoc,rep:64:42: warning: label alone on a line without a colon might be in error [-w+orphan-labels] Program received signal SIGSEGV, Segmentation fault. 0x0000000000425e54 in pp_list_one_macro (m=0x21, severity=17729) at asm/preproc.c:5389 5389 pp_list_one_macro(m->next_active, severity); (gdb) bt #0 0x0000000000425e54 in pp_list_one_macro (m=0x21, severity=17729) at asm/preproc.c:5389 #1 0x0000000000425e60 in pp_list_one_macro (m=0x7c7290, severity=17729) at asm/preproc.c:5389 #2 0x0000000000425e60 in pp_list_one_macro (m=0x7c8320, severity=17729) at asm/preproc.c:5389 #3 0x0000000000425dce in pp_error_list_macros (severity=<optimized out>) at asm/preproc.c:5406 #4 0x00000000004066ec in nasm_verror_common (severity=16449, fmt=<optimized out>, args=<optimized out>) at asm/nasm.c:1665 #5 0x0000000000405158 in nasm_verror_gnu (severity=16449, fmt=0x4a869f "label alone on a line without a colon might be in error", ap=0x7fffffffdfa0) at asm/nasm.c:1508 #6 0x000000000040d8c3 in nasm_error (severity=<error reading variable: Value out of range.>, fmt=0x4541 <error: Cannot access memory at address 0x4541>) at asm/error.c:86 #7 0x000000000041d521 in parse_line (pass=<optimized out>, buffer=0x7d0230 "st", result=0x7fffffffe268, ldef=0x41c300 <define_label>) at asm/parser.c:474 #8 0x00000000004036fb in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1245 #9 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453 (gdb) ASAN info: ================================================================= ==49024==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000d568 at pc 0x527e12 bp 0x7fffffffd690 sp 0x7fffffffd688 READ of size 8 at 0x60f00000d568 thread T0 ==49024==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x527e11 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x527e11) #1 0x527b11 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x527b11) #2 0x527830 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x527830) #3 0x491fe0 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x491fe0) #4 0x48c3f4 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x48c3f4) #5 0x4b42df (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4b42df) #6 0x5007a1 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5007a1) #7 0x483660 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483660) #8 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #9 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8) 0x60f00000d568 is located 88 bytes inside of 176-byte region [0x60f00000d510,0x60f00000d5c0) freed by thread T0 here: #0 0x468579 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579) #1 0x49c2bd (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd) #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) previously allocated by thread T0 here: #0 0x4686f9 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9) #1 0x49b6a8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8) #2 0x51be1a (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a) #3 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ?? Shadow bytes around the buggy address: 0x0c1e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff9a80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff9a90: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa =>0x0c1e7fff9aa0: fa fa fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd 0x0c1e7fff9ab0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c1e7fff9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff9ad0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 0x0c1e7fff9ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff9af0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==49024==ABORTING [Inferior 1 (process 49024) exited with code 01] The bug was trigged in: pp_list_one_macro (m=0x21, severity=17729) at asm/preproc.c:5389 5389 pp_list_one_macro(m->next_active, severity); Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
No longer triggers with upcoming 2.13.02 (will be released soon).