Index
> Compiler Internals > Crash bug in Linux fasm 1.71.37 --> movq mm0,,mm0 word[ |
| Author |
|
|
jn 24 Feb 2015, 10:54
The following malformed snippet of … malformedness makes fasm segfault on linux (hexdump):
Code: 00000000 70 6f 73 74 70 6f 6e 65 7b 0a 30 20 20 20 20 20 |postpone{.0 | 00000010 20 7b 0a 30 20 30 20 30 30 30 30 30 30 30 20 30 | {.0 0 0000000 0| 00000020 20 30 20 30 30 30 30 30 30 30 30 20 30 20 30 0a | 0 00000000 0 0.| 00000030 20 20 70 6f 73 74 70 6f 6e 65 20 20 7d 30 | postpone }0| 0000003e I haven't tested on other platforms. [ this bug was found by fuzzing with http://lcamtuf.coredump.cx/afl/ ]
Last edited by jn on 24 Feb 2015, 14:34; edited 1 time in total |
|||||||||||
24 Feb 2015, 10:54 |
|
|
jn 24 Feb 2015, 11:31
Ok, I tested with different memory limits:
Code: $ for i in `seq 20 60`; do fasm -m $(($i * 1024)) test.asm &>how; test $? == 139 && cat how && dmesg | tail -n1; done flat assembler version 1.71.22 (32768 kilobytes memory) test.asm [4]: postpone }0 [1176782.812978] fasm[9557]: segfault at 736f7000 ip 0000000008048480 sp 00000000ffe85d00 error 4 in fasm[8048000+17000] flat assembler version 1.71.22 (35840 kilobytes memory) test.asm [4]: postpone }0 [1176782.942880] fasm[9566]: segfault at 0 ip 0000000008048480 sp 00000000ff871280 error 4 in fasm[8048000+17000] flat assembler version 1.71.22 (52224 kilobytes memory) test.asm [4]: postpone }0 [1176783.391018] fasm[9585]: segfault at 736f7000 ip 0000000008048480 sp 00000000ffe54630 error 4 in fasm[8048000+17000] flat assembler version 1.71.22 (55296 kilobytes memory) test.asm [4]: postpone }0 [1176783.538050] fasm[9591]: segfault at 0 ip 0000000008048480 sp 00000000fff4cda0 error 4 in fasm[8048000+17000] Interestingly, the memory limits that result in a crash are non-contiguous. |
|||
|
24 Feb 2015, 11:31 |
|
|
l_inc 24 Feb 2015, 15:03
Code: postpone { postpone } P.S. OK. This is a bit more complicated than that, cause the crash depends even on the environment. But it is obviously related to the way how an error is reported for invalid constructs inside a postpone block. _________________ Faith is a superposition of knowledge and fallacy |
|||
|
24 Feb 2015, 15:03 |
|
|
Tomasz Grysztar 25 Feb 2015, 15:39
Corrected with the new release.
|
|||
|
25 Feb 2015, 15:39 |
|
|
jn 26 Feb 2015, 04:25
Thanks!
I've found another segfault bug, though: Code: irp 0={} As with the other bug, it depends on the memory limit setting (some values show "out of memory" instead of crashing). I suspect that something's wrong in the Linux memory allocation layer, but I really don't know the code. |
|||
|
26 Feb 2015, 04:25 |
|
|
revolution 26 Feb 2015, 05:23
Crashes in Win32 console also with the 8 byte file "irp 0={}".
Code: fasm -m10000 test.asm flat assembler version 1.71.35 (10000 kilobytes memory) <crash> |
|||
|
26 Feb 2015, 05:23 |
|
|
Tomasz Grysztar 26 Feb 2015, 09:35
Thanks. This was* another bug introduced by changes and additions in 1.71.x development line (1.70 does not crash on this code, neither does it have problem with "postpone" because there was no such directive back then). This shows that perhaps switching from the stable download of 1.70 to a "semi-stable" build from 1.71 line was a bit premature, since the new line clearly was not tested enough.
___ *It was, as I'm uploading the corrected build now. |
|||
|
26 Feb 2015, 09:35 |
|
|
JohnFound 26 Feb 2015, 13:27
Tomasz Grysztar wrote: This shows that perhaps switching from the stable download of 1.70 to a "semi-stable" build from 1.71 line was a bit premature, since the new line clearly was not tested enough. IMHO, it is not exactly true. Of course, it is better to not have bugs at all, but unfortunately it is impossible. These bugs are not so serious, and can't cause big troubles on normal use. And by the way, Fresh IDE is not affected, or perhaps the bugs does not manifest themselves. _________________ Tox ID: 48C0321ADDB2FE5F644BB5E3D58B0D58C35E5BCBC81D7CD333633FEDF1047914A534256478D9 |
|||
|
26 Feb 2015, 13:27 |
|
|
HaHaAnonymous 26 Feb 2015, 15:34
[ Post removed by author. ]
Last edited by HaHaAnonymous on 28 Feb 2015, 17:51; edited 1 time in total |
|||
|
26 Feb 2015, 15:34 |
|
|
revolution 26 Feb 2015, 15:44
HaHaAnonymous wrote: It is not an exaggeration to say you should waste more time testing your program than actually coding it. |
|||
|
26 Feb 2015, 15:44 |
|
|
jn 09 Mar 2015, 00:27
Ok, I found another crash:
Code: movq mm0,,mm0 word[ |
|||
|
09 Mar 2015, 00:27 |
|
|
revolution 09 Mar 2015, 01:11
I found in win32 fasm.exe I needed to set the memory size to trigger this bug. The following three values will crash:
Code: fasm -m10 test.asm fasm -m100 test.asm fasm -m1000 test.asm |
|||
|
09 Mar 2015, 01:11 |
|
|
l_inc 09 Mar 2015, 01:20
revolution
That's because it's a (semi-)arbitrary write in the expression calculator. If the amount of allocated memory is large enough, the write would be made into an unused, but still allocated writable region. Btw. this one could be exploitable. _________________ Faith is a superposition of knowledge and fallacy |
|||
|
09 Mar 2015, 01:20 |
|
|
Tomasz Grysztar 09 Mar 2015, 08:20
This one is a very old bug in MOVQ handler that caused the assembler to off the rails and try to read an expression data from memory containing something different. I'm uploading the correction as 1.71.38, with some other small fixes at the same time.
|
|||
|
09 Mar 2015, 08:20 |
|
|
jn 11 Mar 2015, 17:07
Ok, got a weird one:
Code: \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\0":0 That's 256 backslashes followed by '0":0'. You could generate it like this: Code: times 0x100 db '\' db '0":0'
|
|||||||||||
|
11 Mar 2015, 17:07 |
|
|
Tomasz Grysztar 11 Mar 2015, 17:25
The "256 backslashes" phrase was enough for me to immediately know where to go and what kind of omission to look for.
 Fixed in 1.71.39. |
|||
|
11 Mar 2015, 17:25 |
|
< Last Thread | Next Thread > |
Forum Rules:
|