Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)
Bug 3392857 - Heap-Buffer-Overflow in NASM( asm/preproc.c:6863 in expand_mmacro)
Summary: Heap-Buffer-Overflow in NASM( asm/preproc.c:6863 in expand_mmacro)
Status: OPEN
Alias: None
Product: NASM
Classification: Unclassified
Component: Assembler (show other bugs)
Version: 2.16.xx
Hardware: All Linux
: Medium normal
Assignee: nobody
URL:
Depends on:
Blocks:
 
Reported: 2023-04-10 23:10 PDT by Daisy Chen
Modified: 2023-04-11 03:51 PDT (History)
5 users (show)

Obtained from: Build from source archive using configure
Generated by: ---
Bug category:
Breaks existing code: ---


Attachments
poc file to reproduce the problem (1.57 KB, text/plain)
2023-04-10 23:10 PDT, Daisy Chen
Details
a new poc file that can run nasm without asan and we can analyze it with GDB (2.92 KB, text/plain)
2023-04-11 03:51 PDT, Daisy Chen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daisy Chen 2023-04-10 23:10:10 PDT
Created attachment 411880 [details]
poc file to reproduce the problem

Hello. My fuzzer found a heap buffer overflow in nasm-2.16.02rc1(github commit is : b952891, on Feb20,2023). I think this problem may have appeared in an earlier version but it still exists. Please confirm. Thank you.
Environment:
OS: Ubuntu 20.04.1
gcc:9.4.0
nasm:nasm-2.16.02rc1(github commit is : b952891, on Feb20,2023)
I compiled nasm with AddressSanitizer:
CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" \
  ./configure
Command Input:
./nasm -f elf64 nasm-crash -o /tmp/null
nasm-crash is attached.
Command Output:
ASAN result
==2956646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000399c at pc 0x561b944cfc75 bp 0x7ffcd0b7daf0 sp 0x7ffcd0b7dae0
READ of size 4 at 0x60200000399c thread T0
    #0 0x561b944cfc74 in expand_mmacro asm/preproc.c:6863
    #1 0x561b944d51d7 in pp_tokline asm/preproc.c:7811
    #2 0x561b944d5297 in pp_getline asm/preproc.c:7823
    #3 0x561b94488160 in assemble_file asm/nasm.c:1719
    #4 0x561b944836d4 in main asm/nasm.c:716
    #5 0x7fb3c9900082 in __libc_start_main ../csu/libc-start.c:308
    #6 0x561b94480ccd in _start (/root/newtarget/nasm-nasm-2.16.02rc1/build_asan/bin/nasm+0x12bccd)

0x60200000399c is located 0 bytes to the right of 12-byte region [0x602000003990,0x60200000399c)
allocated by thread T0 here:
    #0 0x7fb3c9bdba06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x561b9448a44c in nasm_calloc nasmlib/alloc.c:72
    #2 0x561b944cf8ec in expand_mmacro asm/preproc.c:6818
    #3 0x561b944d51d7 in pp_tokline asm/preproc.c:7811
    #4 0x561b944d5297 in pp_getline asm/preproc.c:7823
    #5 0x561b94488160 in assemble_file asm/nasm.c:1719
    #6 0x561b944836d4 in main asm/nasm.c:716
    #7 0x7fb3c9900082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow asm/preproc.c:6863 in expand_mmacro
Shadow bytes around the buggy address:
  0x0c047fff86e0: fa fa 00 02 fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff86f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8700: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8710: fa fa fd fa fa fa 02 fa fa fa fd fd fa fa fd fd
  0x0c047fff8720: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 02 fa
=>0x0c047fff8730: fa fa 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2956646==ABORTING
Comment 1 Daisy Chen 2023-04-11 03:51:38 PDT
Created attachment 411881 [details]
a new poc file that can run nasm without asan and we can analyze it with GDB

This is a new poc file that can run nasm without asan and we can analyze it with GDB.If you compile nasm with asan, you will find the two bugs' asan result are similar,but if you compile nasm without asan, only the second poc file can be analyzed with GDB (SIGABRT).