3392426 – There is a heap use-after-free on address 0x60f00000d4b0 in nasm.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

Bug 3392426 - There is a heap use-after-free on address 0x60f00000d4b0 in nasm.

Summary: There is a heap use-after-free on address 0x60f00000d4b0 in nasm.

Status:	CLOSED FIXED

Alias:	None

Product:	NASM
Classification:	Unclassified
Component:	Assembler (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	Medium blocker
Assignee:	nobody

URL:

Depends on:
Blocks:

Reported:	2017-08-28 04:07 PDT by owl337
Modified:	2017-11-25 09:56 PST (History)
CC List:	3 users (show)

Obtained from:	Binary from nasm.us
Generated by:	---
Bug category:
Breaks existing code:	---

Attachments
/nasm -f bin POC6 -o tmp (392 bytes, application/x-rar) 2017-08-28 04:07 PDT, owl337	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description owl337 2017-08-28 04:07:21 PDT

Created attachment 411604 [details]
/nasm -f bin  POC6 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC6 -o tmp 
id:000248,sig:06,src:003072,op:flip1,pos:236:13: error: unterminated %! string
id:000248,sig:06,src:003072,op:flip1,pos:236:29: error: (b_struc:7) NUL character in %! string
id:000248,sig:06,src:003072,op:flip1,pos:236:14: ... from macro `b_struc' defined here
*** Error in `./../../../nasm': double free or corruption (fasttop): 0x00000000018facb0 ***
Aborted

The GDB debugging information is as follows:

(gdb)set args -f bin  POC6 -o tmp
(gdb) r 
...

*** Error in `/home/company/check_nasm/nasm-2.14rc0/install/bin/nasm': double free or corruption (fasttop): 0x00000000007d7cb0 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7a44267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt 
#0  0x00007ffff7a44267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff7a45eca in __GI_abort () at abort.c:89
#2  0x00007ffff7a87c53 in __libc_message (do_abort=do_abort@entry=1, 
    fmt=fmt@entry=0x7ffff7ba01a8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7a8fc69 in malloc_printerr (ptr=<optimized out>, 
    str=0x7ffff7ba0270 "double free or corruption (fasttop)", action=1) at malloc.c:4965
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3834
#5  0x00007ffff7a9389c in __GI___libc_free (mem=<optimized out>) at malloc.c:2950
#6  0x00000000004089d8 in nasm_free (q=0x117f7) at nasmlib/malloc.c:77
#7  0x00000000004234fa in delete_Token (t=0x7ffff7f7bc50) at asm/preproc.c:1236
#8  free_tlist (list=0x0) at asm/preproc.c:612
#9  free_llist (list=<optimized out>) at asm/preproc.c:622
#10 free_mmacro (m=<optimized out>) at asm/preproc.c:635
#11 pp_getline () at asm/preproc.c:5099
#12 0x000000000040368d in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233
#13 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453


ASAN info:
(gdb) r 
Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm -f bin  id:000266,sig:11,src:003293,op:havoc,rep:4 -o tmp
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 10, nasm_free (q=<optimized out>) at nasmlib/malloc.c:77
77	        free(q);
(gdb) c 925 
Will ignore next 924 crossings of breakpoint 10.  Continuing.
id:000266,sig:11,src:003293,op:havoc,rep:4:8: warning: unterminated string
id:000266,sig:11,src:003293,op:havoc,rep:4:29: warning: (b_struc:2) trailing garbage after `%push' ignored
id:000266,sig:11,src:003293,op:havoc,rep:4:8: ... from macro `b_struc' defined here
id:000266,sig:11,src:003293,op:havoc,rep:4:29: error: parser: instruction expected
id:000266,sig:11,src:003293,op:havoc,rep:4:10: ... from macro `b_struc' defined here
id:000266,sig:11,src:003293,op:havoc,rep:4:29: error: (b_struc:8) braces do not enclose all of macro parameter
id:000266,sig:11,src:003293,op:havoc,rep:4:15: ... from macro `b_struc' defined here
id:000266,sig:11,src:003293,op:havoc,rep:4:29: error: (b_struc:8) braces do not enclose all of macro parameter
id:000266,sig:11,src:003293,op:havoc,rep:4:15: ... from macro `b_struc' defined here
id:000266,sig:11,src:003293,op:havoc,rep:4:29: warning: (b_struc:8) trailing garbage after expression ignored
id:000266,sig:11,src:003293,op:havoc,rep:4:15: ... from macro `b_struc' defined here

Breakpoint 10, nasm_free (q=<optimized out>) at nasmlib/malloc.c:77
77	        free(q);
(gdb) n
78	}
(gdb) n
pp_getline () at asm/preproc.c:5143
5143	                lfmt->downlevel(LIST_INCLUDE);
...
(gdb) n
5112	                    istk->mstk->lineno++;
(gdb) n
=================================================================
==50260==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000d4b0 at pc 0x5214d0 bp 0x7fffffffdee0 sp 0x7fffffffded8
READ of size 4 at 0x60f00000d4b0 thread T0
==50260==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x5214cf (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5214cf)
    #1 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #2 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #3 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

0x60f00000d4b0 is located 144 bytes inside of 176-byte region [0x60f00000d420,0x60f00000d4d0)
freed by thread T0 here:
    #0 0x468579 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579)
    #1 0x49c2bd (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd)
    #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x4686f9 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
    #1 0x49b6a8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
    #2 0x51be1a (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a)
    #3 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c1e7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a60: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9a70: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1e7fff9a80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e7fff9a90: fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa fa
  0x0c1e7fff9aa0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9ab0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c1e7fff9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9ad0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
  0x0c1e7fff9ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==50260==ABORTING
[Inferior 1 (process 50260) exited with code 01]
(gdb) 

The bug was trigged in:
pp_getline () at asm/preproc.c:5112
5107	
5108	            if (istk->expansion) {      /* from a macro expansion */
5109	                char *p;
5110	                Line *l = istk->expansion;
5111	                if (istk->mstk)
5112	                    istk->mstk->lineno++;
5113	                tline = l->first;
5114	                istk->expansion = l->next;
5115	                nasm_free(l);
5116	                p = detoken(tline, false);



Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Cyrill Gorcunov 2017-11-25 09:56:54 PST

No longer triggers with upcoming 2.13.02 (will be released soon).