Reporting the bug here since i am not able to create an account on Bugzilla. Similar to Bug #516.
On latest stable version and development snapshot of nasm, there is a stack buffer overflow (out-of-bound read) in disasm function of (src/disasm/disasm.c) file, which could be triggered by the POC below.
The issue happens since in line 1296, the access to pointer dp (or data) is not properly limited according to actual size of "data".
1111 int32_t disasm(uint8_t data, char output, int outbufsize, int segsize,
1112 int64_t offset, int autosync, iflag_t prefer)
1113 {
...
1295 dp = data;
1296 ix += dp++;
...
1650 return length;
1651 }
To reproduce:
1) download nasm-2.14rc0-20180420.tar.gz
2) build nasm with ASAN enabled;
3) execute: bin/ndisasm -b 32 $POC
Stack trace:
==69531==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd01a73680 at pc 0x00000041d0a3 bp 0x7ffd01a72de0 sp 0x7ffd01a72dd8
READ of size 1 at 0x7ffd01a73680 thread T0
0 0x41d0a2 in disasm /u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/disasm.c:1296
1 0x403e5d in main /u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/ndisasm.c:320
2 0x7f38a14373d4 in __libc_start_main (/usr/lib64/libc.so.6+0x223d4)
3 0x406591 (/home/test/test/product/nasm/nasm-2.14rc0-20180420/exe_asan/bin/ndisasm+0x406591)
Address 0x7ffd01a73680 is located in stack of thread T0 at offset 352 in frame
0 0x4025bf in main /u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/ndisasm.c:81
The same POC file causes a "memory alignment error" for stable version nasm 2.13.
0x7ffc53ca36a3: note: pointer points here
00 c5 c5 b3 c5 b2 c5 c5 c5 c5 c5 40 c5 00 10 c5 c5 29 15 ca 08 00 00 f2 c5 c5 d2 cd c5 c5 c5 c5
Thanks for report. Once you manage to register on bugzilla copy it there please.
Hi Cyrill, I got the email registeration confirmation and just forwarded the reports to bugzilla. Thanks for your response.