Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)
Bug 3392820 - SEGV on obj_directive output/outobj.c:1614
Summary: SEGV on obj_directive output/outobj.c:1614
Status: OPEN
Alias: None
Product: NASM
Classification: Unclassified
Component: Assembler (show other bugs)
Version: 2.16.xx
Hardware: All All
: Medium normal
Assignee: nobody
URL:
Depends on:
Blocks:
 
Reported: 2022-10-20 04:18 PDT by 13579and24680
Modified: 2023-04-24 10:08 PDT (History)
6 users (show)

Obtained from: Built from git using configure
Generated by: ---
Bug category:
Breaks existing code: ---


Attachments
poc from fuzzer and afl-tmin (28 bytes, text/plain)
2022-10-20 04:18 PDT, 13579and24680
Details

Note You need to log in before you can comment on or make changes to this bug.
Description 13579and24680 2022-10-20 04:18:38 PDT
Created attachment 411859 [details]
poc from fuzzer and afl-tmin

Hello, I found a segfault when fuzz nasm ELF.

------------------------------------------------------------------
normal execute


$ ./nasm -f obj poc
poc:1: error: label `m0group' inconsistently redefined
poc:1: info: label `m0group' originally defined here
fish: Job 1, './nasm -f obj poc' terminated by signal SIGSEGV (Address boundary error)

-------------------------------------------------------------------
compile with asan (report)


$ ./nasm -f obj poc
poc:1: error: label `m0group' inconsistently redefined
poc:1: info: label `m0group' originally defined here
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2823032==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2a93d0189c bp 0x7ffcb9135bd0 sp 0x7ffcb9135330 T0)
==2823032==The signal is caused by a READ memory access.
==2823032==Hint: address points to the zero page.
    #0 0x7f2a93d0189b in __interceptor_strcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:420
    #1 0x5614b2ef553d in obj_directive output/outobj.c:1614
    #2 0x5614b2e780a2 in process_directives asm/directiv.c:220
    #3 0x5614b2e6c301 in assemble_file asm/nasm.c:1731
    #4 0x5614b2e6786d in main asm/nasm.c:717
    #5 0x7f2a93a5d082 in __libc_start_main ../csu/libc-start.c:308
    #6 0x5614b2e64ccd in _start (/home/a13579/nasm.asan+0x111ccd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:420 in __interceptor_strcmp
==2823032==ABORTING

-------------------------------------------------------------------
git log


$ git log --oneline -1
a8ff6bf7 (HEAD -> master, origin/master, origin/HEAD) Merge pull request #37 from hjl-tools/hjl/dwarf32
Comment 1 13579and24680 2023-03-29 02:09:27 PDT
Use CVE-2022-44368
Comment 2 Polampalli, Archana 2023-04-24 09:41:04 PDT
Hi,

Could you please confirm Is fix for this bug available in nasm-2.16.01 


Thanks in advance
Comment 3 13579and24680 2023-04-24 10:08:59 PDT
I still can crash nasm with the poc after using the newest version at github.

# newest version
-------------------------------------------------------------------------
$ ./nasm --version 
NASM version 2.17rc0 compiled on Apr 25 2023

$ git log --oneline -1
a916e412 (HEAD -> master, origin/master, origin/HEAD) Merge remote-tracking branch 'github/nasm-2.16.xx'

$ ./nasm -f obj poc
poc:1: error: label `m0group' inconsistently redefined
poc:1: info: label `m0group' originally defined here
[1]    4194108 segmentation fault (core dumped)  ./nasm -f obj poc