notfound 807179 2.10.09-1
found 807179 2.11.05-1
found 807179 2.11.06-1really2.11.05-1
found 807179 2.11.06-1
fixed 807179 2.11.08-1
tags 807179 + upstream fixed
forwarded 807179 https://bugzilla.nasm.us/show_bug.cgi?id=3392289
bye
Dear Maintainer,
tried to some more details out of that report.
I could reproduce it in a stretch/testing amd64 VM
of date 2015-12-07.
I found it not to crash with 2.10.09-1.
It got fixed upstream in folowing commit:
9b05974022da69c12b8b190c6ad100402771e5ad is the first bad commit
commit 9b05974022da69c12b8b190c6ad100402771e5ad
Author: Cyrill Gorcunov <gorcu...@gmail.com>
Date: Sun Dec 14 22:44:54 2014 +0300
ndisasm: Prevent nil dereference on registerd decoding
The sequence | 0x0F 0x1B 0x75 | get matched into
one of BNDx instruction which register value 6
which is of course out of possible BND registers
implemented in hardware at the moment leading to
nil dereference.
Instead lets use a macro in whichreg() helper
which would test the registers bounds and force
the caller to try another template if register is
out of range. In the case above it simply means
ndisasm instead of crashing outputs
| 00000000 0F db 0x0f
| 00000001 1B db 0x1b
| 00000002 75 db 0x75
http://bugzilla.nasm.us/show_bug.cgi?id=3392289
Reported-by: Hanno Boeck <ha...@hboeck.de>
Signed-off-by: Cyrill Gorcunov <gorcu...@gmail.com>
:100644 100644 8ee0b1c3c3c72801def4598aca0af5ac7f1de095
161868d08d8493fd2d03ffd8483006629484b0cc M disasm.c
Kind regards,
Bernhard
Stretch amd64 VM:
apt update
apt install devscripts dpkg-dev systemd-coredump gdb nasm nasm-dbgsym git
autogen autoconf
ndisasm /usr/lib/gcc/x86_64-linux-gnu/6/cc1plus
-> no crash
dpkg -l | grep nasm
nasm 2.12.01-1+b1
###########
Stretch testing as of date 20151207:
debian-9-stretch-snapshot.debian.org
https://snapshot.debian.org/archive/debian/20151207T000000Z/
deb [check-valid-until=no]
http://192.168.178.25:9999/debian-10-buster-snapshot.debian.org/ stretch main
apt-get -o Acquire::Check-Valid-Until=false -o
Acquire::CompressionTypes::Order::=gz -o Acquire::Languages=none update
apt dist-upgrade
apt install devscripts dpkg-dev systemd-coredump gdb nasm gcc-4.9 ghostscript
mkdir nasm/orig -p
cd nasm/orig
apt source nasm
cd ../..
benutzer@debian:~$ ls -lisah /usr/bin/gcc
276245 0 lrwxrwxrwx 1 root root 5 Aug 3 2015 /usr/bin/gcc -> gcc-5
root@debian:~# ln -sf /usr/bin/gcc-4.9 /usr/bin/gcc
cd nasm
cp orig try1-gcc-4.9 -a
cd try1-gcc-4.9/nasm-2.11.06-1really2.11.05/
dpkg-buildpackage -b
benutzer@debian:~$ ndisasm /usr/lib/gcc/x86_64-linux-gnu/5/cc1plus
...
00015F04 B5FF mov ch,0xff
Speicherzugriffsfehler (Speicherabzug geschrieben)
[ 137.226089] ndisasm[10069]: segfault at 24c4838 ip 0000000000402b24 sp
00007ffeb8b20b70 error 4 in ndisasm[400000+97000]
root@debian:~# coredumpctl list
TIME PID UID GID SIG PRESENT EXE
Mo 2018-11-26 06:19:29 CET 10069 1000 1000 11 * /usr/bin/ndisasm
root@debian:~# coredumpctl gdb 10069
PID: 10069 (ndisasm)
UID: 1000 (benutzer)
GID: 1000 (benutzer)
Signal: 11 (SEGV)
Timestamp: Mo 2018-11-26 06:19:29 CET (43s ago)
Command Line: ndisasm /usr/lib/gcc/x86_64-linux-gnu/5/cc1plus
Executable: /usr/bin/ndisasm
Control Group: /system.slice/ssh.service
Unit: ssh.service
Slice: system.slice
Boot ID: 718ef12558e14b51b01f270ea473fd35
Machine ID: 0cc81cdce83142f0b9c65e10b756c1dc
Hostname: debian
Coredump:
/var/lib/systemd/coredump/core.ndisasm.1000.718ef12558e14b51b01f270ea473fd35.10069.1543209569000000.xz
Message: Process 10069 (ndisasm) of user 1000 dumped core.
Stack trace of thread 10069:
#0 0x0000000000402b24 n/a (ndisasm)
#1 0x0000000000400f98 n/a (ndisasm)
#2 0x00007f59feec8b45 __libc_start_main (libc.so.6)
#3 0x0000000000401901 n/a (ndisasm)
GNU gdb (Debian 7.10-1) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/ndisasm...(no debugging symbols found)...done.
[New LWP 10069]
Core was generated by `ndisasm /usr/lib/gcc/x86_64-linux-gnu/5/cc1plus'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000402b24 in ?? ()
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0 0x0000000000402b24 in ?? ()
#1 0x0000000000400f98 in ?? ()
#2 0x00007f59feec8b45 in __libc_start_main (main=0x400df0, argc=2,
argv=0x7ffeb8b21318, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffeb8b21308) at libc-start.c:287
#3 0x0000000000401901 in ?? ()
(gdb) info target
Symbols from "/usr/bin/ndisasm".
...
Local exec file:
`/usr/bin/ndisasm', file type elf64-x86-64.
Entry point: 0x4018d8
root@debian:~# coredumpctl list
TIME PID UID GID SIG PRESENT EXE
Mo 2018-11-26 06:19:29 CET 10069 1000 1000 11 * /usr/bin/ndisasm
Mo 2018-11-26 13:27:46 CET 13653 1000 1000 11 *
/home/benutzer/nasm/try1-gcc-4.9/nasm-2.11.06-1really2.11.05/ndisasm
root@debian:~# coredumpctl gdb 13653
PID: 13653 (ndisasm)
UID: 1000 (benutzer)
GID: 1000 (benutzer)
Signal: 11 (SEGV)
Timestamp: Mo 2018-11-26 13:27:46 CET (18s ago)
Command Line:
/home/benutzer/nasm/try1-gcc-4.9/nasm-2.11.06-1really2.11.05/ndisasm
/usr/lib/gcc/x86_64-linux-gnu/5/cc1plus
Executable:
/home/benutzer/nasm/try1-gcc-4.9/nasm-2.11.06-1really2.11.05/ndisasm
Control Group: /system.slice/ssh.service
Unit: ssh.service
Slice: system.slice
Boot ID: 718ef12558e14b51b01f270ea473fd35
Machine ID: 0cc81cdce83142f0b9c65e10b756c1dc
Hostname: debian
Coredump:
/var/lib/systemd/coredump/core.ndisasm.1000.718ef12558e14b51b01f270ea473fd35.13653.1543235266000000.xz
Message: Process 13653 (ndisasm) of user 1000 dumped core.
Stack trace of thread 13653:
#0 0x0000000000402b24 snprintf (ndisasm)
#1 0x0000000000400f98 main (ndisasm)
#2 0x00007f3e9546cb45 __libc_start_main (libc.so.6)
#3 0x0000000000401901 _start (ndisasm)
GNU gdb (Debian 7.10-1) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from
/home/benutzer/nasm/try1-gcc-4.9/nasm-2.11.06-1really2.11.05/ndisasm...done.
[New LWP 13653]
Core was generated by
`/home/benutzer/nasm/try1-gcc-4.9/nasm-2.11.06-1really2.11.05/ndisasm
/usr/lib/g'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 snprintf (__fmt=0x40729f "%s", __n=249, __s=0x7ffc9f2c5637 "0xff") at
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64
64 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0 snprintf (__fmt=0x40729f "%s", __n=249, __s=0x7ffc9f2c5637 "0xff") at
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64
#1 disasm (data=data@entry=0x7ffc9f2c560d
"\017\032a\234\032\372G\004\326WvE~x", output=output@entry=0x7ffc9f2c5630
"bndldx 0xff", outbufsize=outbufsize@entry=256, segsize=segsize@entry=16,
offset=offset@entry=89862, autosync=autosync@entry=0, prefer=0x7ffc9f2c55e0) at
disasm.c:1432
#2 0x0000000000400f98 in main (argc=<optimized out>, argv=<optimized out>) at
ndisasm.c:319
(gdb) up
#1 disasm (data=data@entry=0x7ffc9f2c560d
"\017\032a\234\032\372G\004\326WvE~x", output=output@entry=0x7ffc9f2c5630
"bndldx 0xff", outbufsize=outbufsize@entry=256, segsize=segsize@entry=16,
offset=offset@entry=89862, autosync=autosync@entry=0, prefer=0x7ffc9f2c55e0) at
disasm.c:1432
1432 slen += snprintf(output + slen, outbufsize - slen, "%s",
(gdb) print output
$1 = 0x7ffc9f2c5630 "bndldx 0xff"
(gdb) list
1427 (o->segment & SEG_RMREG)) {
1428 enum reg_enum reg;
1429 reg = whichreg(t, o->basereg, ins.rex);
1430 if (t & TO)
1431 slen += snprintf(output + slen, outbufsize - slen, "to
");
1432 slen += snprintf(output + slen, outbufsize - slen, "%s",
1433 nasm_reg_names[reg-EXPR_REG_START]);
1434 if (is_evex && deco)
1435 slen += append_evex_reg_deco(output + slen, outbufsize
- slen,
1436 deco, ins.evex_p);
(gdb) print slen
$2 = 7
(gdb) print reg
$3 = <optimized out>
(gdb) print nasm_reg_names
$4 = 0x494140 <nasm_reg_names>
(gdb) display/i $pc
1: x/i $pc
=> 0x402b24 <disasm+2324>: mov 0x494140(,%r13,8),%rcx
(gdb) print/x $r13
$5 = 0x4060df
https://snapshot.debian.org/package/nasm/2.11.08-1/ -> no crash
https://snapshot.debian.org/package/nasm/2.11.06-1/ -> crash
https://snapshot.debian.org/package/nasm/2.11.06-1really2.11.05-1/ -> crash
https://snapshot.debian.org/package/nasm/2.11.05-1/ -> crash
https://snapshot.debian.org/package/nasm/2.11-1/ -> crash
https://snapshot.debian.org/package/nasm/2.10.09-1/ -> no crash
benutzer@debian:~/nasm/git$ git clone git://repo.or.cz/nasm.git
sh autogen.sh
sh configure
make
./ndisasm /usr/lib/gcc/x86_64-linux-gnu/5/cc1plus
make distclean
benutzer@debian:~/nasm/git/nasm$ git bisect start
benutzer@debian:~/nasm/git/nasm$ git bisect good nasm-2.11.06
benutzer@debian:~/nasm/git/nasm$ git bisect bad nasm-2.11.08
benutzer@debian:~/nasm/git/nasm$ git bisect good
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[7cc90badae553a5ae25c3d93b75b024c73e2c7f4] quote: Fix returning out of string
pointer, take 2
benutzer@debian:~/nasm/git/nasm$ git bisect bad
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[00590792fe2ede83db2f66a562d8fd837cfb1061] NASM 2.11.07
benutzer@debian:~/nasm/git/nasm$ git bisect good
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[7729edf7224e39628bd342c3a3bb44c1753bdfb0] configure.in: Move AC_C_INLINE and
friends to be checked before PA_ADD_CFLAGS
benutzer@debian:~/nasm/git/nasm$ git bisect bad
Bisecting: 0 revisions left to test after this (roughly 1 step)
[9b05974022da69c12b8b190c6ad100402771e5ad] ndisasm: Prevent nil dereference on
registerd decoding
benutzer@debian:~/nasm/git/nasm$ git bisect bad
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[1cccb1e8d5618f054b509b6eaf9e1cee13985bc7] disasm: matches -- Use proper return
type
benutzer@debian:~/nasm/git/nasm$ git bisect good
9b05974022da69c12b8b190c6ad100402771e5ad is the first bad commit
commit 9b05974022da69c12b8b190c6ad100402771e5ad
Author: Cyrill Gorcunov <gorcu...@gmail.com>
Date: Sun Dec 14 22:44:54 2014 +0300
ndisasm: Prevent nil dereference on registerd decoding
The sequence | 0x0F 0x1B 0x75 | get matched into
one of BNDx instruction which register value 6
which is of course out of possible BND registers
implemented in hardware at the moment leading to
nil dereference.
Instead lets use a macro in whichreg() helper
which would test the registers bounds and force
the caller to try another template if register is
out of range. In the case above it simply means
ndisasm instead of crashing outputs
| 00000000 0F db 0x0f
| 00000001 1B db 0x1b
| 00000002 75 db 0x75
http://bugzilla.nasm.us/show_bug.cgi?id=3392289
Reported-by: Hanno Boeck <ha...@hboeck.de>
Signed-off-by: Cyrill Gorcunov <gorcu...@gmail.com>
:100644 100644 8ee0b1c3c3c72801def4598aca0af5ac7f1de095
161868d08d8493fd2d03ffd8483006629484b0cc M disasm.c
set width 0
set pagination off
