| عنوان | nasm NASM version 2.17rc0 compiled on Jul 20 2025 and the newest master (888d9ab) Memory Corruption |
|---|
| الوصف | # NASM Heap Buffer Overflow Vulnerability in macho_no_dead_strip Function
## Vulnerability Summary
A critical heap buffer overflow vulnerability has been discovered in the NASM (Netwide Assembler) Mach-O output format module. The vulnerability occurs in the `macho_no_dead_strip` function within `outmacho.c` at line 1774, where the program attempts to read beyond the bounds of an allocated heap buffer.
## Technical Details
- **Vulnerability Type**: Heap Buffer Overflow
- **Affected Function**: `macho_no_dead_strip`
- **Source File**: `outmacho.c`
- **Line Number**: 1774
- **Signal**: SIGABRT (6)
## Vulnerability Mechanism and Root Cause
This heap buffer overflow vulnerability is caused by insufficient bounds checking when processing Mach-O pragma directives. The root issue lies in the `macho_no_dead_strip` function where a string buffer is allocated but accessed beyond its boundaries.
The vulnerability occurs when:
1. Memory is allocated for a string buffer in `macho_no_dead_strip` at line 1767 using `nasm_strdup`
2. The allocated buffer is only 4 bytes in size
3. The function attempts to read 1 byte at offset 0x6020000037b4, which is exactly at the end of the 4-byte allocation
4. This results in reading 0 bytes after the valid 4-byte region, triggering the heap buffer overflow
The vulnerability is triggered when processing malformed Mach-O section names or pragma directives that cause the string processing logic to access memory beyond the allocated buffer boundaries.
## AddressSanitizer Report
```
=================================================================
==934481==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000037b4 at pc 0x559ef8665da6 bp 0x7ffdcf74f950 sp 0x7ffdcf74f948
READ of size 1 at 0x6020000037b4 thread T0
#0 0x559ef8665da5 in macho_no_dead_strip /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1774:7
#1 0x559ef8665da5 in macho_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1817:9
#2 0x559ef84f527e in call_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:114:12
#3 0x559ef84f527e in search_pragma_list /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:156:22
#4 0x559ef84f6657 in output_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:327:12
#5 0x559ef84f6657 in process_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:290:9
#6 0x559ef84e8906 in process_directives /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/directiv.c:556:9
#7 0x559ef84c60ee in assemble_file /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:1743:17
#8 0x559ef84c60ee in main /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:716:9
#9 0x7fcf59828d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x7fcf59828e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#11 0x559ef83f57b4 in _start (/workspace/benchmark/tmp/old-fuzzdir/fz-nasm/fz-nasm/nasm+0x1ed7b4) (BuildId: 2a14aa05a80be476)
0x6020000037b4 is located 0 bytes after 4-byte region [0x6020000037b0,0x6020000037b4)
allocated by thread T0 here:
#0 0x559ef848d7ee in malloc (/workspace/benchmark/tmp/old-fuzzdir/fz-nasm/fz-nasm/nasm+0x2857ee) (BuildId: 2a14aa05a80be476)
#1 0x559ef8665074 in nasm_malloc /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/nasmlib/alloc.c:55:9
#2 0x559ef8665074 in nasm_strdup /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/nasmlib/alloc.c:117:9
#3 0x559ef8665074 in macho_no_dead_strip /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1767:13
#4 0x559ef8665074 in macho_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1817:9
#5 0x559ef84f527e in call_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:114:12
#6 0x559ef84f527e in search_pragma_list /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:156:22
#7 0x559ef84f6657 in output_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:327:12
#8 0x559ef84f6657 in process_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:290:9
#9 0x559ef84e8906 in process_directives /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/directiv.c:556:9
#10 0x559ef84c60ee in assemble_file /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:1743:17
#11 0x559ef84c60ee in main /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:716:9
#12 0x7fcf59828d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1774:7 in macho_no_dead_strip
```
## Proof of Concept
The vulnerability can be triggered by processing the malformed assembly file provided as `POC_nasm_heap_buffer_overflow_macho_no_dead_strip_1`. This file contains specific Mach-O pragma directives that cause the heap buffer overflow condition.
**POC Download**: [Google Drive Link - POC_nasm_heap_buffer_overflow_macho_no_dead_strip_1](https://drive.google.com/file/d/1JRHWdjW6FGHDV0CMJe8VinmCQ4vP9ZpR/view?usp=drive_link)
## Reproduction Steps
1. Compile NASM with AddressSanitizer enabled
2. Execute: `nasm -f macho POC_nasm_heap_buffer_overflow_macho_no_dead_strip_1`
3. The program will crash with a heap-buffer-overflow error
## Affected Versions
NASM version 2.17rc0 compiled on Jul 20 2025 and the newest master (888d9ab)
**Credit**
- Xudong Cao (UCAS)
- Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| المصدر | ⚠️ https://bugzilla.nasm.us/show_bug.cgi?id=3392934 |
|---|
| المستخدم | xdcao (UID 88377) |
|---|
| ارسال | 26/07/2025 09:10 AM (9 أشهر منذ) |
|---|
| الاعتدال | 10/08/2025 05:56 PM (15 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 319377 [NASM Netwide Assember 2.17rc0 outmacho.c macho_no_dead_strip تلف الذاكرة] |
|---|
| النقاط | 17 |
|---|