Submit #623185: nasm NASM version 2.17rc0 compiled on Jul 20 2025 and the newest master (888d9ab) Memory Corruptioninfo

Titlenasm NASM version 2.17rc0 compiled on Jul 20 2025 and the newest master (888d9ab) Memory Corruption
Description# NASM Heap Buffer Overflow Vulnerability in macho_no_dead_strip Function ## Vulnerability Summary A critical heap buffer overflow vulnerability has been discovered in the NASM (Netwide Assembler) Mach-O output format module. The vulnerability occurs in the `macho_no_dead_strip` function within `outmacho.c` at line 1774, where the program attempts to read beyond the bounds of an allocated heap buffer. ## Technical Details - **Vulnerability Type**: Heap Buffer Overflow - **Affected Function**: `macho_no_dead_strip` - **Source File**: `outmacho.c` - **Line Number**: 1774 - **Signal**: SIGABRT (6) ## Vulnerability Mechanism and Root Cause This heap buffer overflow vulnerability is caused by insufficient bounds checking when processing Mach-O pragma directives. The root issue lies in the `macho_no_dead_strip` function where a string buffer is allocated but accessed beyond its boundaries. The vulnerability occurs when: 1. Memory is allocated for a string buffer in `macho_no_dead_strip` at line 1767 using `nasm_strdup` 2. The allocated buffer is only 4 bytes in size 3. The function attempts to read 1 byte at offset 0x6020000037b4, which is exactly at the end of the 4-byte allocation 4. This results in reading 0 bytes after the valid 4-byte region, triggering the heap buffer overflow The vulnerability is triggered when processing malformed Mach-O section names or pragma directives that cause the string processing logic to access memory beyond the allocated buffer boundaries. ## AddressSanitizer Report ``` ================================================================= ==934481==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000037b4 at pc 0x559ef8665da6 bp 0x7ffdcf74f950 sp 0x7ffdcf74f948 READ of size 1 at 0x6020000037b4 thread T0 #0 0x559ef8665da5 in macho_no_dead_strip /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1774:7 #1 0x559ef8665da5 in macho_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1817:9 #2 0x559ef84f527e in call_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:114:12 #3 0x559ef84f527e in search_pragma_list /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:156:22 #4 0x559ef84f6657 in output_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:327:12 #5 0x559ef84f6657 in process_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:290:9 #6 0x559ef84e8906 in process_directives /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/directiv.c:556:9 #7 0x559ef84c60ee in assemble_file /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:1743:17 #8 0x559ef84c60ee in main /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:716:9 #9 0x7fcf59828d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #10 0x7fcf59828e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #11 0x559ef83f57b4 in _start (/workspace/benchmark/tmp/old-fuzzdir/fz-nasm/fz-nasm/nasm+0x1ed7b4) (BuildId: 2a14aa05a80be476) 0x6020000037b4 is located 0 bytes after 4-byte region [0x6020000037b0,0x6020000037b4) allocated by thread T0 here: #0 0x559ef848d7ee in malloc (/workspace/benchmark/tmp/old-fuzzdir/fz-nasm/fz-nasm/nasm+0x2857ee) (BuildId: 2a14aa05a80be476) #1 0x559ef8665074 in nasm_malloc /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/nasmlib/alloc.c:55:9 #2 0x559ef8665074 in nasm_strdup /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/nasmlib/alloc.c:117:9 #3 0x559ef8665074 in macho_no_dead_strip /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1767:13 #4 0x559ef8665074 in macho_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1817:9 #5 0x559ef84f527e in call_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:114:12 #6 0x559ef84f527e in search_pragma_list /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:156:22 #7 0x559ef84f6657 in output_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:327:12 #8 0x559ef84f6657 in process_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:290:9 #9 0x559ef84e8906 in process_directives /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/directiv.c:556:9 #10 0x559ef84c60ee in assemble_file /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:1743:17 #11 0x559ef84c60ee in main /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:716:9 #12 0x7fcf59828d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1774:7 in macho_no_dead_strip ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed assembly file provided as `POC_nasm_heap_buffer_overflow_macho_no_dead_strip_1`. This file contains specific Mach-O pragma directives that cause the heap buffer overflow condition. **POC Download**: [Google Drive Link - POC_nasm_heap_buffer_overflow_macho_no_dead_strip_1](https://drive.google.com/file/d/1JRHWdjW6FGHDV0CMJe8VinmCQ4vP9ZpR/view?usp=drive_link) ## Reproduction Steps 1. Compile NASM with AddressSanitizer enabled 2. Execute: `nasm -f macho POC_nasm_heap_buffer_overflow_macho_no_dead_strip_1` 3. The program will crash with a heap-buffer-overflow error ## Affected Versions NASM version 2.17rc0 compiled on Jul 20 2025 and the newest master (888d9ab) **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://bugzilla.nasm.us/show_bug.cgi?id=3392934
User
 xdcao (UID 88377)
Submission07/26/2025 09:10 (9 months ago)
Moderation08/10/2025 17:56 (15 days later)
StatusAccepted
VulDB entry319377 [NASM Netwide Assember 2.17rc0 outmacho.c macho_no_dead_strip heap-based overflow]
Points17

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!