Headline
CVE-2021-34123: ATasm: 6502 cross-assembler / Bugs
An issue was discovered on atasm, version 1.09. A stack-buffer-overflow vulnerability in function aprintf() in asm.c allows attackers to execute arbitrary code on the system via a crafted file.
- Summary
- Files
- Reviews
- Support
- Tickets ▾
- Bugs
- Feature Requests
- News
- Code
- Discussion
Menu ▾ ▴
#23 stack-buffer-overflow in function aprintf()
Status: open
Owner: nobody
Labels: None
Priority: 5
Updated: 2021-05-10
Created: 2021-04-06
Private: No
Hi,
While fuzzing ATasm 1.09, I found stack-buffer-overflow in function aprintf() in asm.c
strcat(line,buf); will result in stack overflow
================================================================= ==3256651==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcaad2ff90 at pc 0x7f24f095b715 bp 0x7ffcaad2fe00 sp 0x7ffcaad2f590 WRITE of size 271 at 0x7ffcaad2ff90 thread T0 #0 0x7f24f095b714 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x9e714) #1 0x56362c585de7 in aprintf /home/atasm/src-afl-gcc/asm.c:330 #2 0x56362c593603 in do_xword /home/atasm/src-afl-gcc/asm.c:1312 #3 0x56362c59d6d3 in proc_sym /home/atasm/src-afl-gcc/asm.c:1586 #4 0x56362c5a1f4a in do_cmd /home/atasm/src-afl-gcc/asm.c:1995 #5 0x56362c5a2424 in assemble /home/atasm/src-afl-gcc/asm.c:2034 #6 0x56362c580341 in main /home/atasm/src-afl-gcc/asm.c:2446 #7 0x7f24f06d60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #8 0x56362c581ddd in _start (/home/atasm/src-afl-gcc/atasm+0xdddd)
Address 0x7ffcaad2ff90 is located in stack of thread T0 at offset 352 in frame #0 0x56362c585b7f in aprintf /home/atasm/src-afl-gcc/asm.c:322
This frame has 4 object(s): [32, 56) ‘args’ (line 326) [96, 352) ‘buf’ (line 323) [416, 672) ‘line’ (line 323) <== Memory access at offset 352 partially underflows this variable [736, 992) ‘buf’ (line 1114) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x9e714) in vsprintf Shadow bytes around the buggy address: 0x10001559dfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001559dfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001559dfc0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 f2 f2 0x10001559dfd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001559dfe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10001559dff0: 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 0x10001559e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001559e010: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 0x10001559e020: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001559e030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001559e040: 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3256651==ABORTING
reproduce:
atasm stack_buffer_over_03_aprintf
1 Attachments
Discussion
Log in to post a comment.