Open
Description
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, yasm (latest master 009450c)
Compile Command:
$ ./autogen.sh
make distclean
CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" ./configure --prefix=$PWD/build --disable-shared
make -j
make install
Run Command:
$ yasm $POC
POC file:
https://github.com/Clingto/POC/blob/master/MSA/yasm/yasm-5020-pp_getline-UAF
ASAN info:
yasm: file name already has no extension: output will be in `yasm.out'
=================================================================
==18582==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000ccb8 at pc 0x7f24ad5c6232 bp 0x7ffdbe2b8fb0 sp 0x7ffdbe2b8fa0
READ of size 4 at 0x60e00000ccb8 thread T0
#0 0x7f24ad5c6231 in pp_getline test/yasm-uaf/SRC_asan/modules/preprocs/nasm/nasm-pp.c:5024
#1 0x7f24ad5a9d46 in nasm_preproc_get_line test/yasm-uaf/SRC_asan/modules/preprocs/nasm/nasm-preproc.c:198
#2 0x7f24ad59b2ac in nasm_parser_parse test/yasm-uaf/SRC_asan/modules/parsers/nasm/nasm-parse.c:218
#3 0x7f24ad58f36b in nasm_do_parse test/yasm-uaf/SRC_asan/modules/parsers/nasm/nasm-parser.c:66
#4 0x7f24ad58f36b in nasm_parser_do_parse test/yasm-uaf/SRC_asan/modules/parsers/nasm/nasm-parser.c:83
#5 0x402c84 in do_assemble test/yasm-uaf/SRC_asan/frontends/yasm/yasm.c:521
#6 0x402c84 in main test/yasm-uaf/SRC_asan/frontends/yasm/yasm.c:753
#7 0x7f24b06e082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x403ee8 in _start ( test/yasm-uaf/bin_asan/bin/yasm+0x403ee8)
0x60e00000ccb8 is located 152 bytes inside of 160-byte region [0x60e00000cc20,0x60e00000ccc0)
freed by thread T0 here:
#0 0x7f24b0f9a2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x7f24ad5bfd48 in pp_getline test/yasm-uaf/SRC_asan/modules/preprocs/nasm/nasm-pp.c:5009
#2 0x7f24ad5a9d46 in nasm_preproc_get_line test/yasm-uaf/SRC_asan/modules/preprocs/nasm/nasm-preproc.c:198
#3 0x7f24ad59b2ac in nasm_parser_parse test/yasm-uaf/SRC_asan/modules/parsers/nasm/nasm-parse.c:218
#4 0x7f24ad58f36b in nasm_do_parse test/yasm-uaf/SRC_asan/modules/parsers/nasm/nasm-parser.c:66
#5 0x7f24ad58f36b in nasm_parser_do_parse test/yasm-uaf/SRC_asan/modules/parsers/nasm/nasm-parser.c:83
#6 0x402c84 in do_assemble test/yasm-uaf/SRC_asan/frontends/yasm/yasm.c:521
#7 0x402c84 in main test/yasm-uaf/SRC_asan/frontends/yasm/yasm.c:753
#8 0x7f24b06e082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f24b0f9a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7f24b0ceb769 in def_xmalloc test/yasm-uaf/SRC_asan/libyasm/xmalloc.c:69
#2 0x7f24ad5b500b in do_directive test/yasm-uaf/SRC_asan/modules/preprocs/nasm/nasm-pp.c:3211
#3 0x7f24ad5c0333 in pp_getline test/yasm-uaf/SRC_asan/modules/preprocs/nasm/nasm-pp.c:5083
#4 0x7f24ad5a9d46 in nasm_preproc_get_line test/yasm-uaf/SRC_asan/modules/preprocs/nasm/nasm-preproc.c:198
#5 0x7f24ad59b2ac in nasm_parser_parse test/yasm-uaf/SRC_asan/modules/parsers/nasm/nasm-parse.c:218
#6 0x7f24ad58f36b in nasm_do_parse test/yasm-uaf/SRC_asan/modules/parsers/nasm/nasm-parser.c:66
#7 0x7f24ad58f36b in nasm_parser_do_parse test/yasm-uaf/SRC_asan/modules/parsers/nasm/nasm-parser.c:83
#8 0x402c84 in do_assemble test/yasm-uaf/SRC_asan/frontends/yasm/yasm.c:521
#9 0x402c84 in main test/yasm-uaf/SRC_asan/frontends/yasm/yasm.c:753
#10 0x7f24b06e082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free test/yasm-uaf/SRC_asan/modules/preprocs/nasm/nasm-pp.c:5024 pp_getline
Shadow bytes around the buggy address:
0x0c1c7fff9940: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff9960: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1c7fff9970: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1c7fff9980: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1c7fff9990: fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa
0x0c1c7fff99a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff99b0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff99c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff99d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff99e0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==18582==ABORTINGMetadata
Assignees
Labels
No labels