Stack-based buffer overflow in the get_signed_expression() function
ATasm is a 6502 command-line cross-assembler.
Brought to you by:
schmelze
Hi,
While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the get_signed_expression() function, in setparse.c.
Attaching a reproducer, issue can be reproduced by running:
atasm test03
=================================================================
==10633==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe5c1b3480 at pc 0x0000004e27ea bp 0x7ffe5c1b3210 sp 0x7ffe5c1b3208
WRITE of size 1 at 0x7ffe5c1b3480 thread T0
#0 0x4e27e9 in get_signed_expression /home/fcambus/atasm/src/setparse.c:179:14
#1 0x4e08a5 in get_expression /home/fcambus/atasm/src/setparse.c:154:27
#2 0x4c8de1 in add_label /home/fcambus/atasm/src/asm.c
#3 0x4d5563 in do_cmd /home/fcambus/atasm/src/asm.c:1934:5
#4 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
#5 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
#6 0x7f1cbb2811e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
#7 0x41b3fd in _start (/home/fcambus/atasm/atasm+0x41b3fd)
Address 0x7ffe5c1b3480 is located in stack of thread T0 at offset 608 in frame
#0 0x4e08bf in get_signed_expression /home/fcambus/atasm/src/setparse.c:157
This frame has 4 object(s):
[32, 288) 'err.i' (line 136)
[352, 608) 'buf' (line 158) <== Memory access at offset 608 overflows this variable
[672, 928) 'work' (line 158)
[992, 1005) 'math' (line 162)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fcambus/atasm/src/setparse.c:179:14 in get_signed_expression
Shadow bytes around the buggy address:
0x10004b82e640: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
0x10004b82e650: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10004b82e660: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2
0x10004b82e670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004b82e680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004b82e690:[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x10004b82e6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004b82e6b0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
0x10004b82e6c0: 00 05 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10004b82e6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004b82e6e0: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10633==ABORTING
This issue has been assigned CVE-2019-19787.
Fixed in Version 1.9 https://github.com/CycoPH/atasm