| タイトル | nasm NASM version 2.17rc0 compiled on Jul 20 2025 and the newest master (888d9ab) Memory Corruption |
|---|
| 説明 | # NASM Stack Buffer Overflow Vulnerability in assemble_file Function
## Vulnerability Summary
A high-severity stack buffer overflow vulnerability has been discovered in the NASM (Netwide Assembler) main assembly processing module. The vulnerability occurs in the `assemble_file` function within `nasm.c` at line 1747, where the program writes beyond the bounds of a stack-allocated buffer.
## Technical Details
- **Vulnerability Type**: Stack Buffer Overflow
- **Affected Function**: `assemble_file`
- **Source File**: `nasm.c`
- **Line Number**: 1747
- **Signal**: SIGABRT (6)
## Vulnerability Mechanism and Root Cause
This stack buffer overflow vulnerability is caused by insufficient bounds checking when processing assembly file data within the main assembly loop. The root issue lies in the `assemble_file` function where stack-allocated buffers are overwritten due to improper size validation.
The vulnerability occurs when:
1. The `assemble_file` function processes input assembly data that exceeds expected buffer sizes
2. Stack-allocated buffers used for temporary processing are not properly bounds-checked
3. Malformed input causes a WRITE operation of size 8 bytes beyond the allocated stack buffer boundary
4. This overwrites adjacent stack memory, potentially corrupting return addresses or other critical data
5. The stack corruption eventually leads to program crash or potential code execution
This vulnerability affects the core assembly processing logic and can be triggered by various types of malformed assembly input that cause buffer size miscalculations.
## AddressSanitizer Report
```
=================================================================
==4070149==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f22d8d000b0 at pc 0x557bfdf6bf2e bp 0x7ffffad49e30 sp 0x7ffffad49e28
WRITE of size 8 at 0x7f22d8d000b0 thread T0
#0 0x557bfdf6bf2d in parse_line /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/parser.c
#1 0x557bfdeff0fe in assemble_file /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:1747:13
#2 0x557bfdeff0fe in main /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:716:9
#3 0x7f22da6ecd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#4 0x7f22da6ece3f in __libc_start_main csu/../csu/libc-start.c:392:3
#5 0x557bfde2e7b4 in _start (/workspace/benchmark/tmp/old-fuzzdir/fz-nasm/fz-nasm/nasm+0x1ed7b4) (BuildId: 2a14aa05a80be476)
Address 0x7f22d8d000b0 is located in stack of thread T0 at offset 176 in frame
#0 0x557bfdefba7f in main /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:518
This frame has 5 object(s):
[32, 40) 'list.addr.i' (line 420)
[64, 160) 'dummy.i.i' (line 1617)
[192, 656) 'output_ins.i' (line 1645) <== Memory access at offset 176 underflows this variable
[720, 728) 'len.i264' (line 456)
[752, 880) 'temp.i.i' (line 301)
SUMMARY: AddressSanitizer: stack-buffer-overflow /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/parser.c in parse_line
```
## Proof of Concept
The vulnerability can be triggered by processing the malformed assembly file provided as `POC_nasm_stack_buffer_overflow_assemble_file`. This file contains specific assembly constructs that cause the stack buffer overflow condition.
**POC Download**: [Google Drive Link - POC_nasm_stack_buffer_overflow_assemble_file](https://drive.google.com/file/d/1pEQb6lcdohWV53DzPPU7kaCCNg-qAaau/view?usp=drive_link)
## Reproduction Steps
1. Compile NASM with AddressSanitizer enabled
2. Execute: `nasm -f elf64 POC_nasm_stack_buffer_overflow_assemble_file`
3. The program will crash with a stack-buffer-overflow error
## Affected Versions
NASM version 2.17rc0 compiled on Jul 20 2025 and the newest master (888d9ab)
**Credit**
- Xudong Cao (UCAS)
- Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| ソース | ⚠️ https://bugzilla.nasm.us/show_bug.cgi?id=3392937 |
|---|
| ユーザー | xdcao (UID 88377) |
|---|
| 送信 | 2025年07月26日 09:12 (9 月 ago) |
|---|
| モデレーション | 2025年08月10日 17:57 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 319379 [NASM Netwide Assember 2.17rc0 nasm.c assemble_file メモリ破損] |
|---|
| ポイント | 17 |
|---|