Created attachment 411609 [details] ./nasm -f bin POC11 -o tmp Description: The debugging information is as follows: $ ./nasm -f bin POC11 -o tmp ... id:000643,sig:11,src:009027,op:havoc,rep:64:28: error: symbol `t' redefined id:000643,sig:11,src:009027,op:havoc,rep:64:33: error: parser: instruction expected id:000643,sig:11,src:009027,op:havoc,rep:64:34: error: label or instruction expected at start of line id:000643,sig:11,src:009027,op:havoc,rep:64:35: error: parser: instruction expected id:000643,sig:11,src:009027,op:havoc,rep:64:88: error: label or instruction expected at start of line id:000643,sig:11,src:009027,op:havoc,rep:64:95: error: macro call expects terminating `)' id:000643,sig:11,src:009027,op:havoc,rep:64:95: error: parser: instruction expected id:000643,sig:11,src:009027,op:havoc,rep:64:96: error: `%0': not in a macro call id:000643,sig:11,src:009027,op:havoc,rep:64:96: error: expression syntax error id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: unknown preprocessor directive `%rota' id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: label or instruction expected at start of line id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: `%%top': not in a macro call id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects terminating `)' id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects terminating `)' Segmentation fault The GDB debugging information is as follows: (gdb) set args -f bin POC11 -o tmp (gdb) r ... id:000643,sig:11,src:009027,op:havoc,rep:64:96: error: expression syntax error id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: unknown preprocessor directive `%rota' id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: label or instruction expected at start of line id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: `%%top': not in a macro call id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects terminating `)' Breakpoint 2, expand_smacro (tline=<optimized out>) at asm/preproc.c:4415 4415 pt = *ptail = new_Token(tline, ttt->type, (gdb) c 53 Will ignore next 51 crossings of breakpoint 2. Continuing. id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects terminating `)' Breakpoint 2, expand_smacro (tline=<optimized out>) at asm/preproc.c:4415 4415 pt = *ptail = new_Token(tline, ttt->type, (gdb) n Program received signal SIGSEGV, Segmentation fault. 0x000000000056d5d6 in expand_smacro (tline=<optimized out>) at asm/preproc.c:4415 4415 pt = *ptail = new_Token(tline, ttt->type, (gdb) bt #0 expand_smacro (tline=<optimized out>) at asm/preproc.c:4415 #1 0x000000000051c561 in pp_getline () at asm/preproc.c:5210 #2 0x0000000000483517 in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233 #3 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453 (gdb) c Continuing. ASAN:SIGSEGV ================================================================= ==9792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00000056d5d6 sp 0x7fffffffdda0 bp 0x7fffffffdee0 T0) ==9792==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x56d5d5 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x56d5d5) #1 0x51c560 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51c560) #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #4 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==9792==ABORTING [Inferior 1 (process 9792) exited with code 01] (gdb) Tirgged in: expand_smacro (tline=<optimized out>) at asm/preproc.c:4415 4415 pt = *ptail = new_Token(tline, ttt->type, Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
commit 59ce1c67b16967c652765e62aa130b7e43f21dd4 Author: Cyrill Gorcunov <gorcunov@gmail.com> Date: Sun Oct 22 18:42:07 2017 +0300 peproc: Fix sigsevg in smacro expansion In case if smacro is called with inapropriate number of arguments exit early. Actually we have to handle this situation more gracefully but this requires a way more efforts than two line patches (need to refactor macro expansion). https://bugzilla.nasm.us/show_bug.cgi?id=3392431 Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> --- Thanks for report!