Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)
Bug 3392815 - heap-buffer-overflow asm/nasm.c:856 in quote_for_pmake
Summary: heap-buffer-overflow asm/nasm.c:856 in quote_for_pmake
Status: CLOSED FIXED
Alias: None
Product: NASM
Classification: Unclassified
Component: Assembler (show other bugs)
Version: 2.16.xx
Hardware: All All
: Medium normal
Assignee: nobody
URL:
Depends on:
Blocks:
 
Reported: 2022-10-02 04:42 PDT by 13579and24680
Modified: 2023-03-29 02:10 PDT (History)
5 users (show)

Obtained from: Built from git using configure
Generated by: ---
Bug category:
Breaks existing code: ---


Attachments
poc from fuzzer and afl-tmin (11 bytes, text/x-matlab)
2022-10-02 04:42 PDT, 13579and24680
Details

Note You need to log in before you can comment on or make changes to this bug.
Description 13579and24680 2022-10-02 04:42:31 PDT
Created attachment 411854 [details]
poc from fuzzer and afl-tmin

(normal nasm crash)

$ ./nasm -M poc
poc: warning: default output file same as input, using `nasm.out' for output
 [-w+other]
fish: Job 1, './nasm -M poc' terminated by signal SIGSEGV (Address boundary error)

------------------------------------------------------------------

(make asan)

$ sh autogen.sh
$ ./configure CFLAGS=' -g3 -fsanitize=address ' CXXFLAGS=' -g3 -fsanitize=address '
$ make

----------------------------------------------------------------------------
(asan report)

$ ./nasm -M poc
poc: warning: default output file same as input, using `nasm.out' for output
 [-w+other]
=================================================================
==3558605==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000030b3 at pc 0x562600507283 bp 0x7fffe8dd4dc0 sp 0x7fffe8dd4db0
WRITE of size 1 at 0x6020000030b3 thread T0
    #0 0x562600507282 in quote_for_pmake asm/nasm.c:856
    #1 0x5626005050d8 in emit_dependencies asm/nasm.c:397
    #2 0x56260050696d in main asm/nasm.c:738
    #3 0x7fdd8dda7082 in __libc_start_main ../csu/libc-start.c:308
    #4 0x562600503ccd in _start (/home/a13579/SQ-Fuzz/mytest13579/nasm_cmplog_parfuzz/fuzz/output/slave2/queue_info/crashes/nasm_new/poc/nasm+0x111ccd)

0x6020000030b3 is located 0 bytes to the right of 3-byte region [0x6020000030b0,0x6020000030b3)
allocated by thread T0 here:
    #0 0x7fdd8e082808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x56260050d5e8 in nasm_malloc nasmlib/alloc.c:55
    #2 0x562600506d7c in quote_for_pmake asm/nasm.c:823
    #3 0x5626005050d8 in emit_dependencies asm/nasm.c:397
    #4 0x56260050696d in main asm/nasm.c:738
    #5 0x7fdd8dda7082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow asm/nasm.c:856 in quote_for_pmake
Shadow bytes around the buggy address:
  0x0c047fff85c0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff85d0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff85e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff85f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8600: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 02 fa
=>0x0c047fff8610: fa fa fd fa fa fa[03]fa fa fa fa fa fa fa fa fa
  0x0c047fff8620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3558605==ABORTING

--------------------------------------------------------------------
(git log)

$ git log --oneline -1
a8ff6bf7 (HEAD -> master, origin/master, origin/HEAD) Merge pull request #37 from hjl-tools/hjl/dwarf32
Comment 1 H. Peter Anvin 2022-11-07 10:28:51 PST
Fixed in checkin 2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d.
Comment 2 13579and24680 2023-03-29 02:10:45 PDT
CVE-2022-44370