Created attachment 411746 [details] poc one use after free in new_Token asm/preproc.c could cause denial-of-service which can be triggered by executing the nasm cmd. $uname -a Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86_64 GNU/Linux $./nasm -f bin ~/poc1 -o tmp asan: ==56765==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000005450 at pc 0x7f1f9fa4f20b bp 0x7fff8cb2c230 sp 0x7fff8cb2b9d8 READ of size 2 at 0x602000005450 thread T0 #0 0x7f1f9fa4f20a in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a) #1 0x4308aa in new_Token asm/preproc.c:1221 #2 0x44572b in expand_smacro asm/preproc.c:4437 #3 0x44a999 in pp_getline asm/preproc.c:5254 #4 0x408b57 in assemble_file asm/nasm.c:1488 #5 0x404a72 in main asm/nasm.c:617 #6 0x7f1f9f63582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x4022a8 in _start (/home/s2e/asan/nasm-2.14.02/tmp/bin/nasm+0x4022a8) 0x602000005450 is located 0 bytes inside of 3-byte region [0x602000005450,0x602000005453) freed by thread T0 here: #0 0x7f1f9fa772ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x40a021 in nasm_free nasmlib/malloc.c:96 #2 0x4309c5 in delete_Token asm/preproc.c:1232 #3 0x42bfeb in free_tlist asm/preproc.c:606 #4 0x445b03 in expand_smacro asm/preproc.c:4471 #5 0x44a999 in pp_getline asm/preproc.c:5254 #6 0x408b57 in assemble_file asm/nasm.c:1488 #7 0x404a72 in main asm/nasm.c:617 #8 0x7f1f9f63582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) previously allocated by thread T0 here: #0 0x7f1f9fa77602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x409f62 in nasm_malloc nasmlib/malloc.c:75 #2 0x4308bd in new_Token asm/preproc.c:1222 #3 0x445a7e in expand_smacro asm/preproc.c:4460 #4 0x44a999 in pp_getline asm/preproc.c:5254 #5 0x408b57 in assemble_file asm/nasm.c:1488 #6 0x404a72 in main asm/nasm.c:617 #7 0x7f1f9f63582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strlen Shadow bytes around the buggy address: 0x0c047fff8a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 02 fa 0x0c047fff8a50: fa fa 02 fa fa fa 00 04 fa fa 02 fa fa fa 00 04 0x0c047fff8a60: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa 0x0c047fff8a70: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa =>0x0c047fff8a80: fa fa 02 fa fa fa 02 fa fa fa[fd]fa fa fa 02 fa 0x0c047fff8a90: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 04 fa 0x0c047fff8aa0: fa fa 02 fa fa fa 07 fa fa fa 02 fa fa fa 06 fa 0x0c047fff8ab0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa 0x0c047fff8ac0: fa fa 00 04 fa fa 02 fa fa fa 02 fa fa fa 05 fa 0x0c047fff8ad0: fa fa 03 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==56765==ABORTING
the bug version is 2.14.02 downloaded from https://www.nasm.us/
*** This bug has been marked as a duplicate of bug 3392711 ***