Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)
Bug 3392644 - heap-buffer-overflow in hash_findi at hashtbl.c:157
Summary: heap-buffer-overflow in hash_findi at hashtbl.c:157
Status: CLOSED FIXED
Alias: None
Product: NASM
Classification: Unclassified
Component: Assembler (show other bugs)
Version: 2.15.xx
Hardware: PC Linux
: Medium normal
Assignee: nobody
URL:
Depends on:
Blocks:
 
Reported: 2020-01-06 01:24 PST by Suhwan
Modified: 2020-08-19 01:46 PDT (History)
4 users (show)

Obtained from: Built from git using configure
Generated by: ---
Bug category:
Breaks existing code: ---


Attachments
poc (2.04 KB, application/octet-stream)
2020-01-06 01:24 PST, Suhwan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Suhwan 2020-01-06 01:24:11 PST
Created attachment 411755 [details]
poc

Hi, 
I found a heap-buffer-overflow in hash_findi at hashtbl.c:157
It is triggered in nasm version 2.15.
NASM version 2.15rc0-20191023 compiled on Dec  9 2019

Please run following command

$ nasm -o /dev/null -f bin $PoC

Here's ASAN log
==28391==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000456 at pc 0x00000049552c bp 0x7fffe7228b50 sp 0x7fffe7228300
READ of size 279 at 0x612000000456 thread T0
    #0 0x49552b in __interceptor_strlen.part.30 (/mnt/hda2/suhwan/BUG_AFL/ezxml_fuzzing/nasm+0x49552b)
    #1 0x9c4906 in hash_findi /home/suhwan/project/program/nasm-2.15rc0-20191023/nasmlib/hashtbl.c:157:35
    #2 0x6932c5 in hash_findix /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:1171:9
    #3 0x6932c5 in expand_one_smacro /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:4999
    #4 0x690e0f in expand_smacro_noreset /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:5474:27
    #5 0x5e8c10 in expand_smacro /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:5431:12
    #6 0x5e8c10 in pp_tokline /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6415
    #7 0x5e8c10 in pp_getline /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6428
    #8 0x50a7f9 in assemble_file /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:1630:24
    #9 0x50a7f9 in main /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:637
    #10 0x7f5cbe6a9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41a4a9 in _start (/mnt/hda2/suhwan/BUG_AFL/ezxml_fuzzing/nasm+0x41a4a9)

0x612000000456 is located 0 bytes to the right of 278-byte region [0x612000000340,0x612000000456)
allocated by thread T0 here:
    #0 0x4d8720 in malloc (/mnt/hda2/suhwan/BUG_AFL/ezxml_fuzzing/nasm+0x4d8720)
    #1 0x526d10 in nasm_malloc /home/suhwan/project/program/nasm-2.15rc0-20191023/nasmlib/alloc.c:55:9
    #2 0x5e8c10 in expand_smacro /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:5431:12
    #3 0x5e8c10 in pp_tokline /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6415
    #4 0x5e8c10 in pp_getline /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6428
    #5 0x50a7f9 in assemble_file /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:1630:24
    #6 0x50a7f9 in main /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:637
    #7 0x7f5cbe6a9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/hda2/suhwan/BUG_AFL/ezxml_fuzzing/nasm+0x49552b) in __interceptor_strlen.part.30
Shadow bytes around the buggy address:
  0x0c247fff8030: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8050: 00 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa
  0x0c247fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8080: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
  0x0c247fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28391==ABORTING
Comment 1 Cyrill Gorcunov 2020-08-19 01:46:48 PDT
Doesn't trigger in nasm-2.15.04rc5-4-g51e23ac7