#23 stack-buffer-overflow in function aprintf()

[chiba taiki]

Hi,

While fuzzing ATasm 1.09, I found stack-buffer-overflow in function aprintf() in asm.c

strcat(line,buf); will result in stack overflow

=================================================================
==3256651==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcaad2ff90 at pc 0x7f24f095b715 bp 0x7ffcaad2fe00 sp 0x7ffcaad2f590
WRITE of size 271 at 0x7ffcaad2ff90 thread T0
    #0 0x7f24f095b714 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x9e714)
    #1 0x56362c585de7 in aprintf /home/atasm/src-afl-gcc/asm.c:330
    #2 0x56362c593603 in do_xword /home/atasm/src-afl-gcc/asm.c:1312
    #3 0x56362c59d6d3 in proc_sym /home/atasm/src-afl-gcc/asm.c:1586
    #4 0x56362c5a1f4a in do_cmd /home/atasm/src-afl-gcc/asm.c:1995
    #5 0x56362c5a2424 in assemble /home/atasm/src-afl-gcc/asm.c:2034
    #6 0x56362c580341 in main /home/atasm/src-afl-gcc/asm.c:2446
    #7 0x7f24f06d60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #8 0x56362c581ddd in _start (/home/atasm/src-afl-gcc/atasm+0xdddd)

Address 0x7ffcaad2ff90 is located in stack of thread T0 at offset 352 in frame
    #0 0x56362c585b7f in aprintf /home/atasm/src-afl-gcc/asm.c:322

  This frame has 4 object(s):
    [32, 56) 'args' (line 326)
    [96, 352) 'buf' (line 323)
    [416, 672) 'line' (line 323) <== Memory access at offset 352 partially underflows this variable
    [736, 992) 'buf' (line 1114)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x9e714) in vsprintf
Shadow bytes around the buggy address:
  0x10001559dfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559dfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559dfc0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 f2 f2
  0x10001559dfd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559dfe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001559dff0: 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
  0x10001559e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559e010: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2
  0x10001559e020: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559e030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559e040: 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3256651==ABORTING

reproduce:

atasm stack_buffer_over_03_aprintf

[Peter Hinz]

Fixed in V1.10 https://github.com/CycoPH/atasm