Bug 1625037 (CVE-2018-16382) - CVE-2018-16382 nasm: buffer over-read in x86/regflags.c allows for crash via crafted file
Summary: CVE-2018-16382 nasm: buffer over-read in x86/regflags.c allows for crash via ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-16382
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1625038 1625039
Blocks: 1625041
TreeView+ depends on / blocked
 
Reported: 2018-09-04 03:35 UTC by Sam Fowler
Modified: 2019-09-29 14:57 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:37:19 UTC
Embargoed:

Attachments (Terms of Use)

Description Sam Fowler 2018-09-04 03:35:25 UTC 
Netwide Assembler (NASM) through version 2.14rc15 has a buffer over-read in x86/regflags.c. An attacker could exploit this to cause a crash via a crafted file.


Upstream Bug:

https://bugzilla.nasm.us/show_bug.cgi?id=3392503
Comment 1 Sam Fowler 2018-09-04 03:35:53 UTC 
Created nasm tracking bugs for this issue:

Affects: fedora-all [bug 1625038]
Comment 3 Sam Fowler 2018-09-04 03:38:15 UTC 
Reproduces on F28 with nasm-2.13.03-1.fc28.x86_64:

# nasm CVE-2018-16382 2>&1 | ./asan_symbolizer.py 
nasm: warning: file name already has no extension: output will be in `nasm.out'
CVE-2018-16382:13: error: label or instruction expected at start of line
...[snip]...
CVE-2018-16382:36: error: parser: instruction expected
=================================================================
==21==ERROR: AddressSanitizer: global-buffer-overflow on address 0x562db193d8e8 at pc 0x562db18403ad bp 0x7fff611253e0 sp 0x7fff611253d0
READ of size 8 at 0x562db193d8e8 thread T0
    #0 0x562db18403ac in ?? /usr/src/debug/nasm-2.13.03-1.fc28.x86_64/asm/parser.c:891
    #1 0x562db1822bcd in ?? /usr/src/debug/nasm-2.13.03-1.fc28.x86_64/asm/nasm.c:1374
    #2 0x562db181dd1d in ?? /usr/src/debug/nasm-2.13.03-1.fc28.x86_64/asm/nasm.c:483
    #3 0x7fc6afd2c24a in __libc_start_main (/lib64/libc.so.6+0x2324a)
    #3 0x562db181f1b9 in ?? ??:0

0x562db193d8e8 is located 0 bytes to the right of global variable 'nasm_reg_flags' defined in 'x86/regflags.c:6:17' (0x562db193d160) of size 1928
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/bin/nasm+0x11a3ac)
Shadow bytes around the buggy address:
  0x0ac63631fac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac63631fb10: 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9
  0x0ac63631fb20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fb30: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x0ac63631fb40: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ac63631fb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac63631fb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Note You need to log in before you can comment on or make changes to this bug.