Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There exists heap-use-after-free in yasm/modules/preprocs/nasm/nasm-pp.c:3878 in expand_mmac_params #221

Open
DaisyPo opened this issue Apr 17, 2023 · 0 comments

Comments

@DaisyPo
Copy link

DaisyPo commented Apr 17, 2023

There exists heap-use-after-free in yasm/modules/preprocs/nasm/nasm-pp.c:3878 in expand_mmac_params

asan info:

==708699==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000012a8 at pc 0x55647c385147 bp 0x7ffe09f5d870 sp 0x7ffe09f5d860
READ of size 8 at 0x60e0000012a8 thread T0
    #0 0x55647c385146 in expand_mmac_params modules/preprocs/nasm/nasm-pp.c:3878
    #1 0x55647c38d436 in pp_getline modules/preprocs/nasm/nasm-pp.c:5078
    #2 0x55647c36ac61 in nasm_preproc_get_line modules/preprocs/nasm/nasm-preproc.c:198
    #3 0x55647c35f4ed in nasm_parser_parse modules/parsers/nasm/nasm-parse.c:219
    #4 0x55647c35df6c in nasm_do_parse modules/parsers/nasm/nasm-parser.c:66
    #5 0x55647c35e109 in nasm_parser_do_parse modules/parsers/nasm/nasm-parser.c:83
    #6 0x55647c2f64d4 in do_assemble frontends/yasm/yasm.c:521
    #7 0x55647c2f7281 in main frontends/yasm/yasm.c:753
    #8 0x7fc63b1af082 in __libc_start_main ../csu/libc-start.c:308
    #9 0x55647c2f4b9d in _start (/root/target/yasm/build_asan/bin/yasm+0xa5b9d)

0x60e0000012a8 is located 8 bytes inside of 160-byte region [0x60e0000012a0,0x60e000001340)
freed by thread T0 here:
    #0 0x7fc63b48a40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x55647c331974 in def_xfree libyasm/xmalloc.c:113
    #2 0x55647c370a59 in free_mmacro modules/preprocs/nasm/nasm-pp.c:1163
    #3 0x55647c38cc0a in pp_getline modules/preprocs/nasm/nasm-pp.c:5009
    #4 0x55647c36ac61 in nasm_preproc_get_line modules/preprocs/nasm/nasm-preproc.c:198
    #5 0x55647c35f4ed in nasm_parser_parse modules/parsers/nasm/nasm-parse.c:219
    #6 0x55647c35df6c in nasm_do_parse modules/parsers/nasm/nasm-parser.c:66
    #7 0x55647c35e109 in nasm_parser_do_parse modules/parsers/nasm/nasm-parser.c:83
    #8 0x55647c2f64d4 in do_assemble frontends/yasm/yasm.c:521
    #9 0x55647c2f7281 in main frontends/yasm/yasm.c:753
    #10 0x7fc63b1af082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7fc63b48a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55647c331857 in def_xmalloc libyasm/xmalloc.c:69
    #2 0x55647c37ffc8 in do_directive modules/preprocs/nasm/nasm-pp.c:3211
    #3 0x55647c38d446 in pp_getline modules/preprocs/nasm/nasm-pp.c:5083
    #4 0x55647c36ac61 in nasm_preproc_get_line modules/preprocs/nasm/nasm-preproc.c:198
    #5 0x55647c35f4ed in nasm_parser_parse modules/parsers/nasm/nasm-parse.c:219
    #6 0x55647c35df6c in nasm_do_parse modules/parsers/nasm/nasm-parser.c:66
    #7 0x55647c35e109 in nasm_parser_do_parse modules/parsers/nasm/nasm-parser.c:83
    #8 0x55647c2f64d4 in do_assemble frontends/yasm/yasm.c:521
    #9 0x55647c2f7281 in main frontends/yasm/yasm.c:753
    #10 0x7fc63b1af082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free modules/preprocs/nasm/nasm-pp.c:3878 in expand_mmac_params
Shadow bytes around the buggy address:
  0x0c1c7fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8210: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c7fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8230: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1c7fff8240: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c1c7fff8250: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff8260: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1c7fff8270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff8280: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1c7fff8290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff82a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==708699==ABORTING

Command Input:

./yasm poc-file

poc-file.zip

poc-file is attached.

Environment

OS: Ubuntu 20.04.1
yasm: 1.3.0.55.g101bc (git clone git@github.com:yasm/yasm.git , and compile it)
compile yasm with asan:
./autogen.sh
make distclean
./configure --prefix=$PWD/build_asan
make CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g"
make install

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant