Bug 1625037 (CVE-2018-16382)
Summary: | CVE-2018-16382 nasm: buffer over-read in x86/regflags.c allows for crash via crafted file | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | java-sig-commits, mizdebsk, nickc |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:37:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1625038, 1625039 | ||
Bug Blocks: | 1625041 |
Description
Sam Fowler
2018-09-04 03:35:25 UTC
Created nasm tracking bugs for this issue: Affects: fedora-all [bug 1625038] Reproduces on F28 with nasm-2.13.03-1.fc28.x86_64: # nasm CVE-2018-16382 2>&1 | ./asan_symbolizer.py nasm: warning: file name already has no extension: output will be in `nasm.out' CVE-2018-16382:13: error: label or instruction expected at start of line ...[snip]... CVE-2018-16382:36: error: parser: instruction expected ================================================================= ==21==ERROR: AddressSanitizer: global-buffer-overflow on address 0x562db193d8e8 at pc 0x562db18403ad bp 0x7fff611253e0 sp 0x7fff611253d0 READ of size 8 at 0x562db193d8e8 thread T0 #0 0x562db18403ac in ?? /usr/src/debug/nasm-2.13.03-1.fc28.x86_64/asm/parser.c:891 #1 0x562db1822bcd in ?? /usr/src/debug/nasm-2.13.03-1.fc28.x86_64/asm/nasm.c:1374 #2 0x562db181dd1d in ?? /usr/src/debug/nasm-2.13.03-1.fc28.x86_64/asm/nasm.c:483 #3 0x7fc6afd2c24a in __libc_start_main (/lib64/libc.so.6+0x2324a) #3 0x562db181f1b9 in ?? ??:0 0x562db193d8e8 is located 0 bytes to the right of global variable 'nasm_reg_flags' defined in 'x86/regflags.c:6:17' (0x562db193d160) of size 1928 SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/bin/nasm+0x11a3ac) Shadow bytes around the buggy address: 0x0ac63631fac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac63631fad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac63631fae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac63631faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac63631fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ac63631fb10: 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 0x0ac63631fb20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac63631fb30: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 0x0ac63631fb40: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0ac63631fb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac63631fb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |