Source: nasm
Version: 2.11.05-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/nasm/bugs/561/

Hi,

The following vulnerability was published for nasm.

CVE-2018-10254[0]:
| Netwide Assembler (NASM) 2.13 has a stack-based buffer over-read in the
| disasm function of the disasm/disasm.c file. Remote attackers could
| leverage this vulnerability to cause a denial of service or possibly
| have unspecified other impact via a crafted ELF file.

./ndisasm -b 32 ~/nasm_2-14-rc0_ndisasm_stack-buffer-overflow_disasm
00000000  7F45              jg 0x47
00000002  5C                pop esp
00000003  7E01              jng 0x6
00000005  00DB              add bl,bl
00000007  0000              add [eax],al
00000009  80042440          add byte [esp],0x40
0000000D  F2                repne
0000000E  F2                repne
0000000F  F2                repne
00000010  F2                repne
00000011  D0                db 0xd0
00000012  F2                repne
00000013  F2                repne
00000014  F2                repne
00000015  F2                repne
00000016  FE                db 0xfe
00000017  FF00              inc dword [eax]
00000019  E3FE              jecxz 0x19
0000001B  085A00            or [edx+0x0],bl
=================================================================
==23001==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffe10361c60 at pc 0x558500ab159f bp 0x7ffe10361350 sp 0x7ffe10361348
READ of size 1 at 0x7ffe10361c60 thread T0
    #0 0x558500ab159e in disasm disasm/disasm.c:1144
    #1 0x558500aa0b09 in main disasm/ndisasm.c:319
    #2 0x7f48a17a5a86 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #3 0x558500aa1f89 in _start (/home/dummy/nasm-2.13.02/ndisasm+0xc8f89)

Address 0x7ffe10361c60 is located in stack of thread T0 at offset 352 in frame
    #0 0x558500a9fccf in main disasm/ndisasm.c:81

  This frame has 6 object(s):
    [32, 33) 'rn_error'
    [96, 100) 'synclen'
    [160, 168) 'ep'
    [224, 240) 'prefer'
    [288, 352) 'buffer' <== Memory access at offset 352 overflows this variable
    [384, 640) 'outbuf'
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow disasm/disasm.c:1144 in disasm
Shadow bytes around the buggy address:
  0x100042064330: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 00 00
  0x100042064340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100042064350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100042064360: f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
  0x100042064370: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2
=>0x100042064380: f2 f2 f2 f2 00 00 00 00 00 00 00 00[f2]f2 f2 f2
  0x100042064390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000420643a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000420643b0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000420643c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000420643d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23001==ABORTING

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10254
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10254
[1] https://sourceforge.net/p/nasm/bugs/561/

Regards,
Salvatore

Reply via email to