flat assembler
Message board for the users of flat assembler.

Index > Compiler Internals > Crash bug in Linux fasm 1.71.37 --> movq mm0,,mm0 word[

Author
Thread Post new topic Reply to topic
jn



Joined: 24 Feb 2015
Posts: 5
jn
The following malformed snippet of … malformedness makes fasm segfault on linux (hexdump):
Code:
00000000  70 6f 73 74 70 6f 6e 65  7b 0a 30 20 20 20 20 20  |postpone{.0     |
00000010  20 7b 0a 30 20 30 20 30  30 30 30 30 30 30 20 30  | {.0 0 0000000 0|
00000020  20 30 20 30 30 30 30 30  30 30 30 20 30 20 30 0a  | 0 00000000 0 0.|
00000030  20 20 70 6f 73 74 70 6f  6e 65 20 20 7d 30        |  postpone  }0|
0000003e
    

I haven't tested on other platforms.


[ this bug was found by fuzzing with http://lcamtuf.coredump.cx/afl/ ]


Description: Test case. Notice that it doesn't end with a newline character.
Download
Filename: test.asm
Filesize: 62 Bytes
Downloaded: 320 Time(s)



Last edited by jn on 24 Feb 2015, 14:34; edited 1 time in total
Post 24 Feb 2015, 10:54
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17350
Location: In your JS exploiting you and your system
revolution
I get this error message on the 1.71.34 win32 console version:
Code:
  postpone  }0
error: unexpected characters.    
It uses all the memory before giving the error but still no crash.


Last edited by revolution on 24 Feb 2015, 11:36; edited 1 time in total
Post 24 Feb 2015, 11:03
View user's profile Send private message Visit poster's website Reply with quote
jn



Joined: 24 Feb 2015
Posts: 5
jn
Ok, I tested with different memory limits:
Code:
$ for i in `seq 20 60`; do fasm -m $(($i * 1024)) test.asm &>how; test $? == 139 && cat how && dmesg | tail -n1; done
flat assembler  version 1.71.22  (32768 kilobytes memory)
test.asm [4]:
  postpone  }0
[1176782.812978] fasm[9557]: segfault at 736f7000 ip 0000000008048480 sp 00000000ffe85d00 error 4 in fasm[8048000+17000]
flat assembler  version 1.71.22  (35840 kilobytes memory)
test.asm [4]:
  postpone  }0
[1176782.942880] fasm[9566]: segfault at 0 ip 0000000008048480 sp 00000000ff871280 error 4 in fasm[8048000+17000]
flat assembler  version 1.71.22  (52224 kilobytes memory)
test.asm [4]:
  postpone  }0
[1176783.391018] fasm[9585]: segfault at 736f7000 ip 0000000008048480 sp 00000000ffe54630 error 4 in fasm[8048000+17000]
flat assembler  version 1.71.22  (55296 kilobytes memory)
test.asm [4]:
  postpone  }0
[1176783.538050] fasm[9591]: segfault at 0 ip 0000000008048480 sp 00000000fff4cda0 error 4 in fasm[8048000+17000]
    


Interestingly, the memory limits that result in a crash are non-contiguous.
Post 24 Feb 2015, 11:31
View user's profile Send private message Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc
Code:
postpone { postpone }    


P.S. OK. This is a bit more complicated than that, cause the crash depends even on the environment. But it is obviously related to the way how an error is reported for invalid constructs inside a postpone block.

_________________
Faith is a superposition of knowledge and fallacy
Post 24 Feb 2015, 15:03
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7737
Location: Kraków, Poland
Tomasz Grysztar
Corrected with the new release.
Post 25 Feb 2015, 15:39
View user's profile Send private message Visit poster's website Reply with quote
jn



Joined: 24 Feb 2015
Posts: 5
jn
Thanks!

I've found another segfault bug, though:
Code:
irp 0={}    

As with the other bug, it depends on the memory limit setting (some values show "out of memory" instead of crashing). I suspect that something's wrong in the Linux memory allocation layer, but I really don't know the code.
Post 26 Feb 2015, 04:25
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17350
Location: In your JS exploiting you and your system
revolution
Crashes in Win32 console also with the 8 byte file "irp 0={}".
Code:
fasm -m10000 test.asm
flat assembler  version 1.71.35  (10000 kilobytes memory)
<crash>    
Post 26 Feb 2015, 05:23
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7737
Location: Kraków, Poland
Tomasz Grysztar
Thanks. This was* another bug introduced by changes and additions in 1.71.x development line (1.70 does not crash on this code, neither does it have problem with "postpone" because there was no such directive back then). This shows that perhaps switching from the stable download of 1.70 to a "semi-stable" build from 1.71 line was a bit premature, since the new line clearly was not tested enough.
___
*It was, as I'm uploading the corrected build now.
Post 26 Feb 2015, 09:35
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3502
Location: Bulgaria
JohnFound
Tomasz Grysztar wrote:
This shows that perhaps switching from the stable download of 1.70 to a "semi-stable" build from 1.71 line was a bit premature, since the new line clearly was not tested enough.


IMHO, it is not exactly true. Of course, it is better to not have bugs at all, but unfortunately it is impossible. These bugs are not so serious, and can't cause big troubles on normal use. And by the way, Fresh IDE is not affected, or perhaps the bugs does not manifest themselves.

_________________
Tox ID: 48C0321ADDB2FE5F644BB5E3D58B0D58C35E5BCBC81D7CD333633FEDF1047914A534256478D9
Post 26 Feb 2015, 13:27
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1180
Location: Unknown
HaHaAnonymous
[ Post removed by author. ]


Last edited by HaHaAnonymous on 28 Feb 2015, 17:51; edited 1 time in total
Post 26 Feb 2015, 15:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17350
Location: In your JS exploiting you and your system
revolution
HaHaAnonymous wrote:
It is not an exaggeration to say you should waste more time testing your program than actually coding it.
I disagree that it is a waste of time. Testing and verification is one of the most important aspects IMO.
Post 26 Feb 2015, 15:44
View user's profile Send private message Visit poster's website Reply with quote
jn



Joined: 24 Feb 2015
Posts: 5
jn
Ok, I found another crash:
Code:
movq mm0,,mm0 word[
    
Post 09 Mar 2015, 00:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17350
Location: In your JS exploiting you and your system
revolution
I found in win32 fasm.exe I needed to set the memory size to trigger this bug. The following three values will crash:
Code:
fasm -m10 test.asm
fasm -m100 test.asm
fasm -m1000 test.asm    
Post 09 Mar 2015, 01:11
View user's profile Send private message Visit poster's website Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc
revolution
That's because it's a (semi-)arbitrary write in the expression calculator. If the amount of allocated memory is large enough, the write would be made into an unused, but still allocated writable region. Btw. this one could be exploitable.

_________________
Faith is a superposition of knowledge and fallacy
Post 09 Mar 2015, 01:20
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7737
Location: Kraków, Poland
Tomasz Grysztar
This one is a very old bug in MOVQ handler that caused the assembler to off the rails and try to read an expression data from memory containing something different. I'm uploading the correction as 1.71.38, with some other small fixes at the same time.
Post 09 Mar 2015, 08:20
View user's profile Send private message Visit poster's website Reply with quote
jn



Joined: 24 Feb 2015
Posts: 5
jn
Ok, got a weird one:
Code:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\0":0    

That's 256 backslashes followed by '0":0'. You could generate it like this:
Code:
times 0x100 db '\'
db '0":0'    


Description:
Download
Filename: min4.asm
Filesize: 260 Bytes
Downloaded: 294 Time(s)

Post 11 Mar 2015, 17:07
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7737
Location: Kraków, Poland
Tomasz Grysztar
The "256 backslashes" phrase was enough for me to immediately know where to go and what kind of omission to look for. Smile Fixed in 1.71.39.
Post 11 Mar 2015, 17:25
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.