Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)
Bug 3392819 - SEGV output/outaout.c:566 in aout_add_gotoff_reloc
Summary: SEGV output/outaout.c:566 in aout_add_gotoff_reloc
Status: OPEN
Alias: None
Product: NASM
Classification: Unclassified
Component: Assembler (show other bugs)
Version: 2.16.xx
Hardware: All All
: Medium normal
Assignee: nobody
URL:
Depends on:
Blocks:
 
Reported: 2022-10-20 01:33 PDT by 13579and24680
Modified: 2023-04-24 10:05 PDT (History)
6 users (show)

Obtained from: Built from git using configure
Generated by: ---
Bug category:
Breaks existing code: ---


Attachments
poc from fuzzer and afl-tmin (71 bytes, text/plain)
2022-10-20 01:33 PDT, 13579and24680
Details

Note You need to log in before you can comment on or make changes to this bug.
Description 13579and24680 2022-10-20 01:33:37 PDT
Created attachment 411858 [details]
poc from fuzzer and afl-tmin

Hello, I found a segfault when fuzz nasm ELF.

------------------------------------------------------------------
normal execute

$ ./nasm -f aoutb poc
poc:3: error: invalid combination of opcode and operands
poc:6: warning: 64-bit unsigned relocation zero-extended from 32 bits [-w+zext-reloc]
poc:6: error: `..gotoff' relocations require a non-global symbol in the section
Segmentation fault

-------------------------------------------------------------------
compile with asan (report)

$ ./nasm -f aoutb poc
poc:3: error: invalid combination of opcode and operands
poc:6: warning: 64-bit unsigned relocation zero-extended from 32 bits [-w+zext-reloc]
poc:6: error: `..gotoff' relocations require a non-global symbol in the section
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3053570==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x55a10486efa4 bp 0x7fff95281d40 sp 0x7fff95281d00 T0)
==3053570==The signal is caused by a READ memory access.
==3053570==Hint: address points to the zero page.
    #0 0x55a10486efa3 in aout_add_gotoff_reloc output/outaout.c:566
    #1 0x55a10486f4b0 in aout_out output/outaout.c:633
    #2 0x55a1048bfbaf in nasm_do_legacy_output output/legacy.c:123
    #3 0x55a10481a16c in out asm/assemble.c:459
    #4 0x55a10481ae43 in out_imm asm/assemble.c:548
    #5 0x55a104821fc9 in gencode asm/assemble.c:1955
    #6 0x55a10481d147 in assemble asm/assemble.c:908
    #7 0x55a104809ae5 in process_insn asm/nasm.c:1613
    #8 0x55a10480a33c in assemble_file asm/nasm.c:1737
    #9 0x55a10480586d in main asm/nasm.c:717
    #10 0x7eff23a1a082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x55a104802ccd in _start (/home/a13579/nasm.asan+0x111ccd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV output/outaout.c:566 in aout_add_gotoff_reloc
==3053570==ABORTING

-------------------------------------------------------------------
git log

$ git log --oneline -1
a8ff6bf7 (HEAD -> master, origin/master, origin/HEAD) Merge pull request #37 from hjl-tools/hjl/dwarf32
Comment 1 13579and24680 2023-03-29 02:09:54 PDT
Use CVE-2022-44369
Comment 2 Polampalli, Archana 2023-04-24 09:12:11 PDT
(In reply to 13579and24680 from comment #1)
> Use CVE-2022-44369

Hi,

Colud you please confirm, is a8ff6bf7 (HEAD -> master, origin/master, origin/HEAD) Merge pull request #37 from hjl-tools/hjl/dwarf   fixes the CVE-2022-44369

Thanks in advance
Comment 3 13579and24680 2023-04-24 10:01:48 PDT
I still can crash nasm with the poc after I checkout the commit.


# git log the commit
-------------------------------------------
$ git checkout a8ff6bf7
$ git log --oneline -1
a8ff6bf7 (HEAD) Merge pull request #37 from hjl-tools/hjl/dwarf32

$ ./nasm -f aoutb poc
poc:3: error: invalid combination of opcode and operands
poc:6: warning: 64-bit unsigned relocation zero-extended from 32 bits [-w+zext-reloc]
poc:6: error: `..gotoff' relocations require a non-global symbol in the section
[1]    3620463 segmentation fault (core dumped)  ./nasm -f aoutb poc


# newest version
-------------------------------------------------------------------------
$ git log --oneline -1
a916e412 (HEAD -> master, origin/master, origin/HEAD) Merge remote-tracking branch 'github/nasm-2.16.xx'

$ ./nasm -f aoutb poc           
poc:3: error: invalid combination of opcode and operands
poc:6: warning: 64-bit unsigned relocation zero-extended from 32 bits [-w+zext-reloc]
poc:6: error: `..gotoff' relocations require a non-global symbol in the section
[1]    3553577 segmentation fault (core dumped)  ./nasm -f aoutb poc
Comment 4 Polampalli, Archana 2023-04-24 10:05:25 PDT
Thank You for quick response