Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)
Bug 3392638 - An StackOverflow was discovered in the function expr3 in asm/eval.c in nasm-2.14.02
Summary: An StackOverflow was discovered in the function expr3 in asm/eval.c in nasm-2...
Status: OPEN
Alias: None
Product: NASM
Classification: Unclassified
Component: Assembler (show other bugs)
Version: 2.14.xx
Hardware: All All
: Medium normal
Assignee: nobody
URL:
Depends on:
Blocks:
 
Reported: 2019-12-08 22:38 PST by libbin
Modified: 2019-12-08 22:49 PST (History)
5 users (show)

Obtained from: Build from source archive using configure
Generated by: ---
Bug category:
Breaks existing code: ---


Attachments
PoC to trigger the Segmentation fault (24.92 KB, text/plain)
2019-12-08 22:38 PST, libbin
Details

Note You need to log in before you can comment on or make changes to this bug.
Description libbin 2019-12-08 22:38:43 PST
Created attachment 411752 [details]
PoC to trigger the Segmentation fault

This stackoverflow was discovered in asm/eval.c when we were fuzzing nasm (releasebuilds 2.14.02).

(gdb) file nasm
Reading symbols from nasm...done.
(gdb) run -felf ./input/seed1
Starting program: /home/lbb/afl-experient/Tests/ASAN/nasm-2.14.02/nasm -felf ./input/seed1
Program received signal SIGSEGV, Segmentation fault.
expr2 (critical=critical@entry=0) at asm/eval.c:482
482     e = expr3(critical);

(gdb) info stack
#0  expr2 (critical=critical@entry=0) at asm/eval.c:482
#1  0x0000000000422941 in expr1 (critical=critical@entry=0) at asm/eval.c:456
#2  0x0000000000422cc1 in expr0 (critical=0) at asm/eval.c:430
#3  0x0000000000420233 in expr6 (critical=critical@entry=0) at asm/eval.c:857
#4  0x0000000000421139 in expr5 (critical=critical@entry=0) at asm/eval.c:567
#5  0x000000000042201c in expr4 (critical=critical@entry=0) at asm/eval.c:542
#6  0x0000000000422101 in expr3 (critical=critical@entry=0) at asm/eval.c:508
#7  0x00000000004225c1 in expr2 (critical=critical@entry=0) at asm/eval.c:482
#8  0x0000000000422941 in expr1 (critical=critical@entry=0) at asm/eval.c:456
#9  0x0000000000422cc1 in expr0 (critical=0) at asm/eval.c:430
...


In addtion, we use Address Sanitizer print the stack information. ASAN dumps the stack trace as follows:

@root ./nasm -felf ./input/seed1
ASAN:SIGSEGV
=================================================================
==25297==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd73117f78 (pc 0x000000453306 bp 0x0fffae622ff2 sp 0x7ffd73117f70 T0)
    #0 0x453305 in stdscan asm/stdscan.c:130
    #1 0x44c993 in expr6 asm/eval.c:856
    #2 0x44e39e in expr5 asm/eval.c:567
    #3 0x44fa8a in expr4 asm/eval.c:542
    #4 0x44fbd0 in expr3 asm/eval.c:508
    #5 0x45027a in expr2 asm/eval.c:482
    #6 0x45072a in expr1 asm/eval.c:456
    #7 0x450bda in expr0 asm/eval.c:430
    #8 0x44c9a2 in expr6 asm/eval.c:857
    #9 0x44e39e in expr5 asm/eval.c:567
    #10 0x44fa8a in expr4 asm/eval.c:542
    #11 0x44fbd0 in expr3 asm/eval.c:508
    #12 0x45027a in expr2 asm/eval.c:482
    #13 0x45072a in expr1 asm/eval.c:456
    #14 0x450bda in expr0 asm/eval.c:430
    #15 0x44c9a2 in expr6 asm/eval.c:857
    #16 0x44e39e in expr5 asm/eval.c:567
    ...
    #249 0x44fbd0 in expr3 asm/eval.c:508
    #250 0x45027a in expr2 asm/eval.c:482
    #251 0x45072a in expr1 asm/eval.c:456

SUMMARY: AddressSanitizer: stack-overflow asm/stdscan.c:130 stdscan
==25297==ABORTING