Menu

#562 Stack-Buffer-Overflow in disasm (src/disasm/disasm.c)

open
nobody
None
5
2018-04-23
2018-04-21
Trace Probe
No

Reporting the bug here since i am not able to create an account on Bugzilla. Similar to Bug #516.

On latest stable version and development snapshot of nasm, there is a stack buffer overflow (out-of-bound read) in disasm function of (src/disasm/disasm.c) file, which could be triggered by the POC below.

The issue happens since in line 1296, the access to pointer dp (or data) is not properly limited according to actual size of "data".

1111 int32_t disasm(uint8_t data, char output, int outbufsize, int segsize,
1112 int64_t offset, int autosync, iflag_t prefer)
1113 {
...
1295 dp = data;
1296 ix += dp++;
...
1650 return length;
1651 }

To reproduce:
1) download nasm-2.14rc0-20180420.tar.gz
2) build nasm with ASAN enabled;
3) execute: bin/ndisasm -b 32 $POC

Stack trace:
==69531==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd01a73680 at pc 0x00000041d0a3 bp 0x7ffd01a72de0 sp 0x7ffd01a72dd8
READ of size 1 at 0x7ffd01a73680 thread T0
0 0x41d0a2 in disasm /u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/disasm.c:1296
1 0x403e5d in main /u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/ndisasm.c:320
2 0x7f38a14373d4 in __libc_start_main (/usr/lib64/libc.so.6+0x223d4)
3 0x406591 (/home/test/test/product/nasm/nasm-2.14rc0-20180420/exe_asan/bin/ndisasm+0x406591)

Address 0x7ffd01a73680 is located in stack of thread T0 at offset 352 in frame
0 0x4025bf in main /u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/ndisasm.c:81

1 Attachments
nasm_2-14-rc0_ndisasm_stack-buffer-overflow_disasm_line1296.zip

Discussion

  • Trace Probe

    Trace Probe - 2018-04-23

    The same POC file causes a "memory alignment error" for stable version nasm 2.13.

    273 static uint8_t *do_ea(uint8_t *data, int modrm, int asize,
274                       int segsize, enum ea_type type,
275                       operand *op, insn *ins)
...
449         switch (mod) {
462         case 2:
463             op->segment |= SEG_DISP32;
**464             op->offset = gets32(data);**
465             data += 4;
466             break;
467         }
468         return data;
469     }
470 }

The error log is attached: 
disasm/disasm.c:464:26: runtime error: load of misaligned address 0x7ffc53ca36a3 for type 'uint32_t', which requires 4 byte alignment

    0x7ffc53ca36a3: note: pointer points here
    00 c5 c5 b3 c5 b2 c5 c5 c5 c5 c5 40 c5 00 10 c5 c5 29 15 ca 08 00 00 f2 c5 c5 d2 cd c5 c5 c5 c5

     

  • Cyrill Gorcunov

    Cyrill Gorcunov - 2018-04-23

    Reporting the bug here since i am not able to create an account on Bugzilla
    Could you please try again. Hopefully I've fixed mailing issue on https://bugzilla.nasm.us/ if it won't pass please ping me directly to gorcunov@gmail.com

     

  • Cyrill Gorcunov

    Cyrill Gorcunov - 2018-04-23

    Thanks for report. Once you manage to register on bugzilla copy it there please.

     

    • Trace Probe

      Trace Probe - 2018-04-23

      Hi Cyrill, I got the email registeration confirmation and just forwarded the reports to bugzilla. Thanks for your response.

       

Log in to post a comment.