Bug 1625037 (CVE-2018-16382)

Summary: CVE-2018-16382 nasm: buffer over-read in x86/regflags.c allows for crash via crafted file
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: java-sig-commits, mizdebsk, nickc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:37:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1625038, 1625039    
Bug Blocks: 1625041    

Description Sam Fowler 2018-09-04 03:35:25 UTC
Netwide Assembler (NASM) through version 2.14rc15 has a buffer over-read in x86/regflags.c. An attacker could exploit this to cause a crash via a crafted file.


Upstream Bug:

https://bugzilla.nasm.us/show_bug.cgi?id=3392503

Comment 1 Sam Fowler 2018-09-04 03:35:53 UTC
Created nasm tracking bugs for this issue:

Affects: fedora-all [bug 1625038]

Comment 3 Sam Fowler 2018-09-04 03:38:15 UTC
Reproduces on F28 with nasm-2.13.03-1.fc28.x86_64:

# nasm CVE-2018-16382 2>&1 | ./asan_symbolizer.py 
nasm: warning: file name already has no extension: output will be in `nasm.out'
CVE-2018-16382:13: error: label or instruction expected at start of line
...[snip]...
CVE-2018-16382:36: error: parser: instruction expected
=================================================================
==21==ERROR: AddressSanitizer: global-buffer-overflow on address 0x562db193d8e8 at pc 0x562db18403ad bp 0x7fff611253e0 sp 0x7fff611253d0
READ of size 8 at 0x562db193d8e8 thread T0
    #0 0x562db18403ac in ?? /usr/src/debug/nasm-2.13.03-1.fc28.x86_64/asm/parser.c:891
    #1 0x562db1822bcd in ?? /usr/src/debug/nasm-2.13.03-1.fc28.x86_64/asm/nasm.c:1374
    #2 0x562db181dd1d in ?? /usr/src/debug/nasm-2.13.03-1.fc28.x86_64/asm/nasm.c:483
    #3 0x7fc6afd2c24a in __libc_start_main (/lib64/libc.so.6+0x2324a)
    #3 0x562db181f1b9 in ?? ??:0

0x562db193d8e8 is located 0 bytes to the right of global variable 'nasm_reg_flags' defined in 'x86/regflags.c:6:17' (0x562db193d160) of size 1928
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/bin/nasm+0x11a3ac)
Shadow bytes around the buggy address:
  0x0ac63631fac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac63631fb10: 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9
  0x0ac63631fb20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fb30: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x0ac63631fb40: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ac63631fb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00