Created attachment 411604 [details] /nasm -f bin POC6 -o tmp Description: The debugging information is as follows: $ ./nasm -f bin POC6 -o tmp id:000248,sig:06,src:003072,op:flip1,pos:236:13: error: unterminated %! string id:000248,sig:06,src:003072,op:flip1,pos:236:29: error: (b_struc:7) NUL character in %! string id:000248,sig:06,src:003072,op:flip1,pos:236:14: ... from macro `b_struc' defined here *** Error in `./../../../nasm': double free or corruption (fasttop): 0x00000000018facb0 *** Aborted The GDB debugging information is as follows: (gdb)set args -f bin POC6 -o tmp (gdb) r ... *** Error in `/home/company/check_nasm/nasm-2.14rc0/install/bin/nasm': double free or corruption (fasttop): 0x00000000007d7cb0 *** Program received signal SIGABRT, Aborted. 0x00007ffff7a44267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff7a44267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 #1 0x00007ffff7a45eca in __GI_abort () at abort.c:89 #2 0x00007ffff7a87c53 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff7ba01a8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff7a8fc69 in malloc_printerr (ptr=<optimized out>, str=0x7ffff7ba0270 "double free or corruption (fasttop)", action=1) at malloc.c:4965 #4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3834 #5 0x00007ffff7a9389c in __GI___libc_free (mem=<optimized out>) at malloc.c:2950 #6 0x00000000004089d8 in nasm_free (q=0x117f7) at nasmlib/malloc.c:77 #7 0x00000000004234fa in delete_Token (t=0x7ffff7f7bc50) at asm/preproc.c:1236 #8 free_tlist (list=0x0) at asm/preproc.c:612 #9 free_llist (list=<optimized out>) at asm/preproc.c:622 #10 free_mmacro (m=<optimized out>) at asm/preproc.c:635 #11 pp_getline () at asm/preproc.c:5099 #12 0x000000000040368d in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233 #13 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453 ASAN info: (gdb) r Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm -f bin id:000266,sig:11,src:003293,op:havoc,rep:4 -o tmp [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Breakpoint 10, nasm_free (q=<optimized out>) at nasmlib/malloc.c:77 77 free(q); (gdb) c 925 Will ignore next 924 crossings of breakpoint 10. Continuing. id:000266,sig:11,src:003293,op:havoc,rep:4:8: warning: unterminated string id:000266,sig:11,src:003293,op:havoc,rep:4:29: warning: (b_struc:2) trailing garbage after `%push' ignored id:000266,sig:11,src:003293,op:havoc,rep:4:8: ... from macro `b_struc' defined here id:000266,sig:11,src:003293,op:havoc,rep:4:29: error: parser: instruction expected id:000266,sig:11,src:003293,op:havoc,rep:4:10: ... from macro `b_struc' defined here id:000266,sig:11,src:003293,op:havoc,rep:4:29: error: (b_struc:8) braces do not enclose all of macro parameter id:000266,sig:11,src:003293,op:havoc,rep:4:15: ... from macro `b_struc' defined here id:000266,sig:11,src:003293,op:havoc,rep:4:29: error: (b_struc:8) braces do not enclose all of macro parameter id:000266,sig:11,src:003293,op:havoc,rep:4:15: ... from macro `b_struc' defined here id:000266,sig:11,src:003293,op:havoc,rep:4:29: warning: (b_struc:8) trailing garbage after expression ignored id:000266,sig:11,src:003293,op:havoc,rep:4:15: ... from macro `b_struc' defined here Breakpoint 10, nasm_free (q=<optimized out>) at nasmlib/malloc.c:77 77 free(q); (gdb) n 78 } (gdb) n pp_getline () at asm/preproc.c:5143 5143 lfmt->downlevel(LIST_INCLUDE); ... (gdb) n 5112 istk->mstk->lineno++; (gdb) n ================================================================= ==50260==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000d4b0 at pc 0x5214d0 bp 0x7fffffffdee0 sp 0x7fffffffded8 READ of size 4 at 0x60f00000d4b0 thread T0 ==50260==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x5214cf (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5214cf) #1 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #2 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #3 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8) 0x60f00000d4b0 is located 144 bytes inside of 176-byte region [0x60f00000d420,0x60f00000d4d0) freed by thread T0 here: #0 0x468579 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579) #1 0x49c2bd (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd) #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) previously allocated by thread T0 here: #0 0x4686f9 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9) #1 0x49b6a8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8) #2 0x51be1a (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a) #3 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ?? Shadow bytes around the buggy address: 0x0c1e7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff9a60: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd 0x0c1e7fff9a70: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c1e7fff9a80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c1e7fff9a90: fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa fa 0x0c1e7fff9aa0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff9ab0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c1e7fff9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff9ad0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 0x0c1e7fff9ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==50260==ABORTING [Inferior 1 (process 50260) exited with code 01] (gdb) The bug was trigged in: pp_getline () at asm/preproc.c:5112 5107 5108 if (istk->expansion) { /* from a macro expansion */ 5109 char *p; 5110 Line *l = istk->expansion; 5111 if (istk->mstk) 5112 istk->mstk->lineno++; 5113 tline = l->first; 5114 istk->expansion = l->next; 5115 nasm_free(l); 5116 p = detoken(tline, false); Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
No longer triggers with upcoming 2.13.02 (will be released soon).