Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)
Bug 3392431 - There is a SEGV on unknown address 0x000000000018 in nasm.
Summary: There is a SEGV on unknown address 0x000000000018 in nasm.
Status: RESOLVED FIXED
Alias: None
Product: NASM
Classification: Unclassified
Component: Assembler (show other bugs)
Version: unspecified
Hardware: All All
: Medium blocker
Assignee: nobody
URL:
Depends on:
Blocks:
 
Reported: 2017-08-28 04:15 PDT by owl337
Modified: 2017-10-22 11:55 PDT (History)
3 users (show)

Obtained from: Binary from nasm.us
Generated by: ---
Bug category:
Breaks existing code: ---


Attachments
./nasm -f bin POC11 -o tmp (1009 bytes, application/x-rar)
2017-08-28 04:15 PDT, owl337
Details

Note You need to log in before you can comment on or make changes to this bug.
Description owl337 2017-08-28 04:15:57 PDT
Created attachment 411609 [details]
./nasm -f bin  POC11 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC11 -o tmp
...
id:000643,sig:11,src:009027,op:havoc,rep:64:28: error: symbol `t' redefined
id:000643,sig:11,src:009027,op:havoc,rep:64:33: error: parser: instruction expected
id:000643,sig:11,src:009027,op:havoc,rep:64:34: error: label or instruction expected at start of line
id:000643,sig:11,src:009027,op:havoc,rep:64:35: error: parser: instruction expected
id:000643,sig:11,src:009027,op:havoc,rep:64:88: error: label or instruction expected at start of line
id:000643,sig:11,src:009027,op:havoc,rep:64:95: error: macro call expects terminating `)'
id:000643,sig:11,src:009027,op:havoc,rep:64:95: error: parser: instruction expected
id:000643,sig:11,src:009027,op:havoc,rep:64:96: error: `%0': not in a macro call
id:000643,sig:11,src:009027,op:havoc,rep:64:96: error: expression syntax error
id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: unknown preprocessor directive `%rota'
id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: label or instruction expected at start of line
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: `%%top': not in a macro call
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects terminating `)'
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects terminating `)'
Segmentation fault

The GDB debugging information is as follows:

(gdb) set args  -f bin  POC11 -o tmp
(gdb) r
...
id:000643,sig:11,src:009027,op:havoc,rep:64:96: error: expression syntax error
id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: unknown preprocessor directive `%rota'
id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: label or instruction expected at start of line
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: `%%top': not in a macro call
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects terminating `)'

Breakpoint 2, expand_smacro (tline=<optimized out>) at asm/preproc.c:4415
4415	                                pt = *ptail = new_Token(tline, ttt->type,

(gdb) c 53
Will ignore next 51 crossings of breakpoint 2.  Continuing.
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects terminating `)'

Breakpoint 2, expand_smacro (tline=<optimized out>) at asm/preproc.c:4415
4415	                                pt = *ptail = new_Token(tline, ttt->type,
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x000000000056d5d6 in expand_smacro (tline=<optimized out>) at asm/preproc.c:4415
4415	                                pt = *ptail = new_Token(tline, ttt->type,
(gdb) bt 
#0  expand_smacro (tline=<optimized out>) at asm/preproc.c:4415
#1  0x000000000051c561 in pp_getline () at asm/preproc.c:5210
#2  0x0000000000483517 in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233
#3  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==9792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00000056d5d6 sp 0x7fffffffdda0 bp 0x7fffffffdee0 T0)
==9792==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x56d5d5 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x56d5d5)
    #1 0x51c560 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51c560)
    #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==9792==ABORTING
[Inferior 1 (process 9792) exited with code 01]
(gdb) 

Tirgged in: 
expand_smacro (tline=<optimized out>) at asm/preproc.c:4415
4415	                                pt = *ptail = new_Token(tline, ttt->type,


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 1 Cyrill Gorcunov 2017-10-22 11:55:58 PDT
commit 59ce1c67b16967c652765e62aa130b7e43f21dd4
Author: Cyrill Gorcunov <gorcunov@gmail.com>
Date:   Sun Oct 22 18:42:07 2017 +0300

    peproc: Fix sigsevg in smacro expansion
    
    In case if smacro is called with inapropriate
    number of arguments exit early. Actually we have
    to handle this situation more gracefully but
    this requires a way more efforts than two
    line patches (need to refactor macro expansion).
    
    https://bugzilla.nasm.us/show_bug.cgi?id=3392431
    
    Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
---
Thanks for report!