Created attachment 411602 [details] Triggered by " ./nasm -f bin POC4 -o tmp " Description: The debugging information is as follows: $ ./nasm -f bin POC4 -o tmp id:000244,sig:11,src:003034,op:havoc,rep:4:6: warning: unterminated string id:000244,sig:11,src:003034,op:havoc,rep:4:13: warning: unterminated %{ construct id:000244,sig:11,src:003034,op:havoc,rep:4:20: error: parser: instruction expected id:000244,sig:11,src:003034,op:havoc,rep:4:25: error: (b_struc:3) `'1': parameter identifier expected id:000244,sig:11,src:003034,op:havoc,rep:4:7: ... from macro `b_struc' defined here id:000244,sig:11,src:003034,op:havoc,rep:4:25: warning: forward reference in RESx can have unpredictable results id:000244,sig:11,src:003034,op:havoc,rep:4:13: ... from macro `b_struc' defined here ... Segmentation fault The GDB debugging information is as follows: (gdb)set args -f bin POC4 -o tmp (gdb) r ... Breakpoint 4, detoken (expand_locals=false, tlist=<optimized out>) at asm/preproc.c:1255 1255 if (t->type == TOK_PREPROC_ID && t->text[1] == '!') { (gdb) c 355 Will ignore next 354 crossings of breakpoint 4. Continuing. id:000244,sig:11,src:003034,op:havoc,rep:4:6: warning: unterminated string id:000244,sig:11,src:003034,op:havoc,rep:4:13: warning: unterminated %{ construct id:000244,sig:11,src:003034,op:havoc,rep:4:20: error: parser: instruction expected id:000244,sig:11,src:003034,op:havoc,rep:4:25: error: (b_struc:3) `'1': parameter identifier expected id:000244,sig:11,src:003034,op:havoc,rep:4:7: ... from macro `b_struc' defined here id:000244,sig:11,src:003034,op:havoc,rep:4:25: warning: forward reference in RESx can have unpredictable results id:000244,sig:11,src:003034,op:havoc,rep:4:13: ... from macro `b_struc' defined here id:000244,sig:11,src:003034,op:havoc,rep:4:25: warning: forward reference in RESx can have unpredictable results ... Breakpoint 4, detoken (expand_locals=false, tlist=<optimized out>) at asm/preproc.c:1255 1255 if (t->type == TOK_PREPROC_ID && t->text[1] == '!') { (gdb) s 1288 if (expand_locals && ... (gdb) s 1254 list_for_each(t, tlist) { (gdb) s ================================================================= ==86909==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000010891 at pc 0x53214e bp 0x7fffffffde30 sp 0x7fffffffde28 READ of size 1 at 0x602000010891 thread T0 ==86909==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x53214d (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x53214d) #1 0x5195c8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5195c8) #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #4 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8) 0x602000010891 is located 0 bytes to the right of 1-byte region [0x602000010890,0x602000010891) allocated by thread T0 here: #0 0x4686f9 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9) #1 0x49b6a8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0c047fffa0c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fffa0d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fffa0e0: fa fa 02 fa fa fa 02 fa fa fa 00 fa fa fa 02 fa 0x0c047fffa0f0: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 03 fa 0x0c047fffa100: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 07 fa =>0x0c047fffa110: fa fa[01]fa fa fa fd fd fa fa 02 fa fa fa fd fa 0x0c047fffa120: fa fa fd fa fa fa 06 fa fa fa 06 fa fa fa 02 fa 0x0c047fffa130: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fffa140: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 fa 0x0c047fffa150: fa fa 00 fa fa fa 06 fa fa fa 00 fa fa fa 00 fa 0x0c047fffa160: fa fa 06 fa fa fa 02 fa fa fa 04 fa fa fa 04 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==86909==ABORTING [Inferior 1 (process 86909) exited with code 01] (gdb) The bug was trigged in: detoken (expand_locals=false, tlist=<optimized out>) at asm/preproc.c:1254 1254 if (t->type == TOK_PREPROC_ID && t->text[1] == '!') { (gdb) list 1250 char *line, *p; 1251 const char *q; 1252 int len = 0; 1253 1254 list_for_each(t, tlist) { 1255 if (t->type == TOK_PREPROC_ID && t->text[1] == '!') { 1256 char *v; 1257 char *q = t->text; 1258 1259 v = t->text + 2; Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
commit 9b7ee09abfd426b99aa1ea81d19a3b2818eeabf9 Author: Cyrill Gorcunov <gorcunov@gmail.com> Date: Sun Oct 22 21:42:59 2017 +0300 prepoc: Fix heap-buffer-overflow in detoken Just make sure we've a data to process. https://bugzilla.nasm.us/show_bug.cgi?id=3392424 Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> --- Thanks for report. Note there are a numbed of leaks in other places remains but this particular one is fixed.