Headline
CVE-2023-31973: yasm heap use-after-free bug · Issue #207 · yasm/yasm
yasm v1.3.0 was discovered to contain a use after free via the function expand_mmac_params at /nasm/nasm-pp.c.
How to trigger
Compile the program with AddressSanitizer
Run command $ ./yasm -w -W -M $PoC
Details
ASAN report
$./yasm -w -W -M $PoC
yasm: warning: unrecognized option `-W'
yasm: file name already has no extension: output will be in `yasm.out'
=================================================================
==973036==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000011c8 at pc 0x0000005b6499 bp 0x7ffc2b8cc4f0 sp 0x7ffc2b8cc4e8
READ of size 8 at 0x60e0000011c8 thread T0
#0 0x5b6498 in expand_mmac_params /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-pp.c:3871:33
#1 0x5b13b4 in pp_getline /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-pp.c:5070:21
#2 0x5a7c61 in nasm_preproc_get_included_file /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-preproc.c:263:16
#3 0x4ce053 in do_preproc_only /home/root/FuzzDateset/yasm/yasm-1.3.0/frontends/yasm/yasm.c:310:23
#4 0x4cca12 in main /home/root/FuzzDateset/yasm/yasm-1.3.0/frontends/yasm/yasm.c:724:16
#5 0x7fd75a0e2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x41d46d in _start (/home/root/randomFuzz/yasm/yasm/yasm_w_W_M/yasm+0x41d46d)
0x60e0000011c8 is located 8 bytes inside of 160-byte region [0x60e0000011c0,0x60e000001260)
freed by thread T0 here:
#0 0x4999b2 in free (/home/root/randomFuzz/yasm/yasm/yasm_w_W_M/yasm+0x4999b2)
#1 0x53d597 in def_xfree /home/root/FuzzDateset/yasm/yasm-1.3.0/libyasm/xmalloc.c:113:5
#2 0x5b381a in free_mmacro /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-pp.c:1163:5
#3 0x5b05e3 in pp_getline /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-pp.c:5002:25
#4 0x5a7c61 in nasm_preproc_get_included_file /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-preproc.c:263:16
#5 0x4ce053 in do_preproc_only /home/root/FuzzDateset/yasm/yasm-1.3.0/frontends/yasm/yasm.c:310:23
#6 0x4cca12 in main /home/root/FuzzDateset/yasm/yasm-1.3.0/frontends/yasm/yasm.c:724:16
#7 0x7fd75a0e2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x499c1d in __interceptor_malloc (/home/root/randomFuzz/yasm/yasm/yasm_w_W_M/yasm+0x499c1d)
#1 0x53d0af in def_xmalloc /home/root/FuzzDateset/yasm/yasm-1.3.0/libyasm/xmalloc.c:69:14
#2 0x5c5744 in do_directive /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-pp.c:3204:24
#3 0x5b13c1 in pp_getline /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-pp.c:5075:13
#4 0x5a7c61 in nasm_preproc_get_included_file /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-preproc.c:263:16
#5 0x4ce053 in do_preproc_only /home/root/FuzzDateset/yasm/yasm-1.3.0/frontends/yasm/yasm.c:310:23
#6 0x4cca12 in main /home/root/FuzzDateset/yasm/yasm-1.3.0/frontends/yasm/yasm.c:724:16
#7 0x7fd75a0e2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/root/FuzzDateset/yasm/yasm-1.3.0/modules/preprocs/nasm/nasm-pp.c:3871:33 in expand_mmac_params
Shadow bytes around the buggy address:
0x0c1c7fff81e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff81f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c1c7fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8210: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff8230: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x0c1c7fff8240: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1c7fff8250: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8260: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c1c7fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==973036==ABORTING