Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)
Bug 3392812 - Stack-buffer-overflow in disasm on address 0x7ffd3ffea120 at pc 0x00000041338c bp 0x7ffd3ffe8610 sp 0x7ffd3ffe8608
Summary: Stack-buffer-overflow in disasm on address 0x7ffd3ffea120 at pc 0x00000041338...
Status: OPEN
Alias: None
Product: NASM
Classification: Unclassified
Component: Disassembler (show other bugs)
Version: 2.16.xx
Hardware: All All
: Higher blocker
Assignee: nobody
URL:
Depends on:
Blocks:
 
Reported: 2022-09-21 01:42 PDT by xudong.c
Modified: 2022-09-21 02:13 PDT (History)
5 users (show)

Obtained from: Built from git using configure
Generated by: ---
Bug category:
Breaks existing code: ---


Attachments
the POC file. (269 bytes, application/x-zip-compressed)
2022-09-21 01:42 PDT, xudong.c
Details

Note You need to log in before you can comment on or make changes to this bug.
Description xudong.c 2022-09-21 01:42:21 PDT
Created attachment 411852 [details]
the POC file.

Hi, developers of NASM:
I tested the binary ndisasm with my fuzzer, and a crash incurred, i.e., Stack-buffer-overflow error. The version of NASM is the latest (the newest master branch in github (https://github.com/netwide-assembler/nasm.git), version: NASM version 2.16rc0 compiled on Sep 20 2022) and the operation system is Ubuntu 18.04.6 LTS (docker). The following is the details.


root@1312a373d471:/fuzz-nasm/ndisasm# ./ndisasm ../out/crashes/id\:000011\,sig\:06\,src\:000341\,op\:havoc\,rep\:4\,701855
00000000  46                inc si
00000001  53                push bx
00000002  0002              add [bp+si],al
00000004  00B3B3B3          add [bp+di-0x4c4d],dh
00000008  B3B3              mov bl,0xb3
0000000A  B3B3              mov bl,0xb3
0000000C  B3B3              mov bl,0xb3
0000000E  B3B3              mov bl,0xb3
00000010  B3B3              mov bl,0xb3
00000012  B3B3              mov bl,0xb3
00000014  B3B3              mov bl,0xb3
00000016  B3B3              mov bl,0xb3
00000018  B3B3              mov bl,0xb3
0000001A  B3B3              mov bl,0xb3
0000001C  B3B3              mov bl,0xb3
0000001E  B3B3              mov bl,0xb3
00000020  B3B3              mov bl,0xb3
00000022  B300              mov bl,0x0
00000024  3E3E3E3E3E3E3E3E  ds pop bx
         -3E3E3E3E3E3E3E3E
         -3E3E3E3E3E3E3E3E
         -3E3E3E3E5B
00000041  5B                pop bx
00000042  5C                pop sp
00000043  3E3E3E4F          ds dec di
=================================================================
==887807==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd3ffea120 at pc 0x00000041338c bp 0x7ffd3ffe8610 sp 0x7ffd3ffe8608
READ of size 1 at 0x7ffd3ffea120 thread T0
    #0 0x41338b in disasm (/fuzz-nasm/ndisasm/ndisasm+0x41338b)
    #1 0x40c89c in main (/fuzz-nasm/ndisasm/ndisasm+0x40c89c)
    #2 0x7f6308e6ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #3 0x406759 in _start (/fuzz-nasm/ndisasm/ndisasm+0x406759)

Address 0x7ffd3ffea120 is located in stack of thread T0 at offset 96 in frame
    #0 0x406a8f in main (/fuzz-nasm/ndisasm/ndisasm+0x406a8f)

  This frame has 6 object(s):
    [32, 96) 'buffer' <== Memory access at offset 96 overflows this variable
    [128, 136) 'ep'
    [160, 416) 'outbuf'
    [480, 484) 'synclen'
    [496, 516) 'prefer'
    [560, 561) 'rn_error'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/fuzz-nasm/ndisasm/ndisasm+0x41338b) in disasm
Shadow bytes around the buggy address:
  0x100027ff53d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff53e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff53f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff5400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff5410: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
=>0x100027ff5420: 00 00 00 00[f2]f2 f2 f2 00 f2 f2 f2 00 00 00 00
  0x100027ff5430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff5440: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x100027ff5450: f2 f2 f2 f2 04 f2 00 00 04 f2 f2 f2 f2 f2 01 f3
  0x100027ff5460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff5470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==887807==ABORTING



I uploaded the POC in the attachment. Thank you for your time!

Credit
Xudong Cao (NCNIPC of China)
Han Zheng (NCNIPC of China, Hexhive)