| Title | nasm NASM version 2.17rc0 compiled on Jul 20 2025 and the newest master (888d9ab) Memory Corruption |
|---|
| Description | # NASM Heap Buffer Overflow Vulnerability in macho_no_dead_strip Function (Variant 2)
## Vulnerability Summary
A critical heap buffer overflow vulnerability has been discovered in the NASM (Netwide Assembler) Mach-O output format module. This is a distinct variant of the heap buffer overflow occurring in the `macho_no_dead_strip` function within `outmacho.c` at line 1774, with a different call chain pattern than the first variant.
## Technical Details
- **Vulnerability Type**: Heap Buffer Overflow
- **Affected Function**: `macho_no_dead_strip`
- **Source File**: `outmacho.c`
- **Line Number**: 1774
- **Signal**: SIGABRT (6)
## Vulnerability Mechanism and Root Cause
This heap buffer overflow vulnerability is caused by insufficient bounds checking when processing Mach-O pragma directives, specifically with a different code path than the first variant. The root issue lies in the `macho_no_dead_strip` function where a string buffer is allocated but accessed beyond its boundaries.
The vulnerability occurs when:
1. Memory is allocated for a string buffer in `macho_no_dead_strip` at line 1767 using `nasm_strdup`
2. The allocated buffer is only 4 bytes in size
3. The function attempts to read 1 byte at the boundary of the allocation
4. This results in reading beyond the valid buffer region, triggering the heap buffer overflow
This variant differs from the first in its call chain pattern, specifically in the `search_pragma_list` function which follows a different execution path (line 167 vs line 156).
## AddressSanitizer Report
```
=================================================================
==936368==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000037b4 at pc 0x558d6b186da6 bp 0x7ffcb960ce70 sp 0x7ffcb960ce68
READ of size 1 at 0x6020000037b4 thread T0
#0 0x558d6b186da5 in macho_no_dead_strip /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1774:7
#1 0x558d6b186da5 in macho_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1817:9
#2 0x558d6b016492 in call_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:114:12
#3 0x558d6b016492 in search_pragma_list /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:167:18
#4 0x558d6b017657 in output_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:327:12
#5 0x558d6b017657 in process_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:290:9
#6 0x558d6b009906 in process_directives /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/directiv.c:556:9
#7 0x558d6afe70ee in assemble_file /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:1743:17
#8 0x558d6afe70ee in main /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:716:9
#9 0x7fda6b93dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x7fda6b93de3f in __libc_start_main csu/../csu/libc-start.c:392:3
#11 0x558d6af167b4 in _start (/workspace/benchmark/tmp/old-fuzzdir/fz-nasm/fz-nasm/nasm+0x1ed7b4) (BuildId: 2a14aa05a80be476)
0x6020000037b4 is located 0 bytes after 4-byte region [0x6020000037b0,0x6020000037b4)
allocated by thread T0 here:
#0 0x558d6afae7ee in malloc (/workspace/benchmark/tmp/old-fuzzdir/fz-nasm/fz-nasm/nasm+0x2857ee) (BuildId: 2a14aa05a80be476)
#1 0x558d6b186074 in nasm_malloc /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/nasmlib/alloc.c:55:9
#2 0x558d6b186074 in nasm_strdup /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/nasmlib/alloc.c:117:9
#3 0x558d6b186074 in macho_no_dead_strip /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1767:13
#4 0x558d6b186074 in macho_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1817:9
#5 0x558d6b016492 in call_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:114:12
#6 0x558d6b016492 in search_pragma_list /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:167:18
#7 0x558d6b017657 in output_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:327:12
#8 0x558d6b017657 in process_pragma /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/pragma.c:290:9
#9 0x558d6b009906 in process_directives /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/directiv.c:556:9
#10 0x558d6afe70ee in assemble_file /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:1743:17
#11 0x558d6afe70ee in main /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/asm/nasm.c:716:9
#12 0x7fda6b93dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /workspace/benchmark/program/nasm-888d9ab-Nov5-2024/output/outmacho.c:1774:7 in macho_no_dead_strip
```
## Proof of Concept
The vulnerability can be triggered by processing the malformed assembly file provided as `POC_nasm_heap_buffer_overflow_macho_no_dead_strip_2`. This file contains specific Mach-O pragma directives that cause the heap buffer overflow condition through a different execution path.
**POC Download**: [Google Drive Link - POC_nasm_heap_buffer_overflow_macho_no_dead_strip_2](https://drive.google.com/file/d/1neYY0LKXpdPIX0P6eI9zBt4pfd-19j4Z/view?usp=drive_link)
## Reproduction Steps
1. Compile NASM with AddressSanitizer enabled
2. Execute: `nasm -f macho32 POC_nasm_heap_buffer_overflow_macho_no_dead_strip_2`
3. The program will crash with a heap-buffer-overflow error
## Affected Versions
NASM version 2.17rc0 compiled on Jul 20 2025 and the newest master (888d9ab)
**Credit**
- Xudong Cao (UCAS)
- Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| Source | ⚠️ https://bugzilla.nasm.us/show_bug.cgi?id=3392935 |
|---|
| User | xdcao (UID 88377) |
|---|
| Submission | 07/26/2025 09:11 (9 months ago) |
|---|
| Moderation | 08/10/2025 17:57 (15 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 319377 [NASM Netwide Assember 2.17rc0 outmacho.c macho_no_dead_strip heap-based overflow] |
|---|
| Points | 0 |
|---|