Menu

#561 Stack buffer overflow (out-of-bound) in disasm (src/disasm/disasm.c)

open
nobody
None
5
2018-04-21
2018-04-21
Trace Probe
No

Reporting the bug here since i am not able to create an account on Bugzilla

On latest stable version and development snapshot of nasm, there is a stack buffer overflow (out-of-bound read) in disasm function of (src/disasm/disasm.c) file, which could be triggered by the POC below.

The issue happens since the condition "end_prefix" of the while loop (line 1143) is only set when certain items in "data" are encountered, which however, could be manipulated by the input file.

1111 int32_t disasm(uint8_t data, char output, int outbufsize, int segsize,
1112 int64_t offset, int autosync, iflag_t prefer)
1113 {
...
1143 while (!end_prefix) {
1144 switch (
data) {
...
1282 default:
1283 end_prefix = true;
1284 break;
1285 }

To reproduce:
1) download nasm-2.14rc0-20180420.tar.gz
2) build nasm with ASAN enabled;
3) execute: bin/ndisasm -b 32 $POC

Stack trace:
==104144==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd4536b4c0 at pc 0x00000041bb44 bp 0x7ffd4536ac20 sp 0x7ffd4536ac18
READ of size 1 at 0x7ffd4536b4c0 thread T0
0 0x41bb43 in disasm /u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/disasm.c:1144
1 0x403e5d in main /u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/ndisasm.c:320
2 0x7f29e681f3d4 in __libc_start_main (/usr/lib64/libc.so.6+0x223d4)
3 0x406591 (/home/test/test/product/nasm/nasm-2.14rc0-20180420/exe_asan/bin/ndisasm+0x406591)

1 Attachments

Discussion


Log in to post a comment.