From 43fb3ded90e772f366b4b8118f7ab006a9842248 Mon Sep 17 00:00:00 2001 From: JP3BGY <6635381+JP3BGY@users.noreply.github.com> Date: Tue, 23 May 2023 10:09:39 +0000 Subject: [PATCH 1/4] add nasm_cve-2018-16517 --- .../methods/ConcFuzz/crash_tags.yaml | 1 + targets/nasm_cve-2018-16517/README.md | 17 ++++++++++++++ targets/nasm_cve-2018-16517/build.sh | 23 +++++++++++++++++++ targets/nasm_cve-2018-16517/config.sh | 6 +++++ targets/nasm_cve-2018-16517/preinstall.sh | 4 ++++ .../nasm_cve-2018-16517/root_causes/locations | 7 ++++++ .../root_causes/predicates | 0 targets/nasm_cve-2018-16517/seeds/default | 1 + 8 files changed, 59 insertions(+) create mode 100644 targets/nasm_cve-2018-16517/README.md create mode 100755 targets/nasm_cve-2018-16517/build.sh create mode 100755 targets/nasm_cve-2018-16517/config.sh create mode 100755 targets/nasm_cve-2018-16517/preinstall.sh create mode 100644 targets/nasm_cve-2018-16517/root_causes/locations create mode 100644 targets/nasm_cve-2018-16517/root_causes/predicates create mode 100644 targets/nasm_cve-2018-16517/seeds/default diff --git a/data_augmentation/methods/ConcFuzz/crash_tags.yaml b/data_augmentation/methods/ConcFuzz/crash_tags.yaml index 6c9365b..ebd9168 100644 --- a/data_augmentation/methods/ConcFuzz/crash_tags.yaml +++ b/data_augmentation/methods/ConcFuzz/crash_tags.yaml @@ -3,5 +3,6 @@ lua_cve-2019-6706: asan;0;lapi.c:1294 libjpeg_cve-2018-19664: asan;0;oracle_source/wrbmp.c:145 libjpeg_cve-2017-15232: asan;0;oracle_source/jquant1.c:536 libxml2_cve-2017-5969: asan;0;oracle_source/valid.c:1181 +nasm_cve-2018-16517: asan;2;oracle_source/asm/nasm.c:1484 readelf_cve-2019-9077: asan;0;binutils/readelf.c:16204 mruby_hackerone-reports-185041: asan;4;error.c:290 diff --git a/targets/nasm_cve-2018-16517/README.md b/targets/nasm_cve-2018-16517/README.md new file mode 100644 index 0000000..af9aa96 --- /dev/null +++ b/targets/nasm_cve-2018-16517/README.md @@ -0,0 +1,17 @@ +# CVE-2018-16517 +## reference +https://packetstormsecurity.com/files/152566/Netwide-Assembler-NASM-2.14rc15-Null-Pointer-Dereference.html +## description + +Even though there is no label for equ command, nasm run as if the label exists while the label pointer is NULL and occurs Null Pointer Dereference. + +## patch +https://github.com/netwide-assembler/nasm/commit/e996d28c70d45008085322b442b44a9224308548 + +## fixed files + +https://github.com/netwide-assembler/nasm/commit/e996d28c70d45008085322b442b44a9224308548#diff-53dd0f5a0dbace1711e5109a395f58c53a6ba9fc6952c74a2420e9d7d027bb04 + +## Source of PoC + +https://packetstormsecurity.com/files/152566/Netwide-Assembler-NASM-2.14rc15-Null-Pointer-Dereference.html diff --git a/targets/nasm_cve-2018-16517/build.sh b/targets/nasm_cve-2018-16517/build.sh new file mode 100755 index 0000000..c79b949 --- /dev/null +++ b/targets/nasm_cve-2018-16517/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +cd $TARGET_ROOT + +. ${TARGET_ROOT}/config.sh + +git clone --branch nasm-2.14rc15 --depth 1 https://github.com/netwide-assembler/nasm.git $1 +cd ${TARGET_ROOT}/$1 +sh autogen.sh + +TARGET_DEF_CFLAGS="${TARGET_DEF_CFLAGS-} " +TARGET_DEF_CXXFLAGS="${TARGET_DEF_CXXFLAGS-} " +ARGS="" +for var in "${!TARGET_DEF_@}"; do + ARGS="${ARGS} ${var#TARGET_DEF_}=\"$(echo ${!var})\"" +done + +eval ./configure 'CFLAGS="-static -static-libasan"' + +eval make ${ARGS} -j$(nproc) nasm + +#set +e +#./nasm -f elf ../poc diff --git a/targets/nasm_cve-2018-16517/config.sh b/targets/nasm_cve-2018-16517/config.sh new file mode 100755 index 0000000..da4b4ae --- /dev/null +++ b/targets/nasm_cve-2018-16517/config.sh @@ -0,0 +1,6 @@ + +#!/bin/bash +set -eux + +export RELPATH=nasm +export ARGS="-f elf @@" diff --git a/targets/nasm_cve-2018-16517/preinstall.sh b/targets/nasm_cve-2018-16517/preinstall.sh new file mode 100755 index 0000000..b728598 --- /dev/null +++ b/targets/nasm_cve-2018-16517/preinstall.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +apt-get update +apt-get install -y --no-install-recommends build-essential autoconf diff --git a/targets/nasm_cve-2018-16517/root_causes/locations b/targets/nasm_cve-2018-16517/root_causes/locations new file mode 100644 index 0000000..de189f7 --- /dev/null +++ b/targets/nasm_cve-2018-16517/root_causes/locations @@ -0,0 +1,7 @@ +asm/nasm.c:1477 +asm/nasm.c:1478 +asm/nasm.c:1479 +asm/nasm.c:1480 +asm/nasm.c:1481 +asm/nasm.c:1482 +asm/nasm.c:1483 diff --git a/targets/nasm_cve-2018-16517/root_causes/predicates b/targets/nasm_cve-2018-16517/root_causes/predicates new file mode 100644 index 0000000..e69de29 diff --git a/targets/nasm_cve-2018-16517/seeds/default b/targets/nasm_cve-2018-16517/seeds/default new file mode 100644 index 0000000..d8091a2 --- /dev/null +++ b/targets/nasm_cve-2018-16517/seeds/default @@ -0,0 +1 @@ +equ push rax From dca6a5fa8dd66ea4b42d3bd2f2c63c9cbd256c08 Mon Sep 17 00:00:00 2001 From: JP3BGY <6635381+JP3BGY@users.noreply.github.com> Date: Fri, 2 Jun 2023 09:25:58 +0000 Subject: [PATCH 2/4] delete first empty line --- targets/nasm_cve-2018-16517/config.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/targets/nasm_cve-2018-16517/config.sh b/targets/nasm_cve-2018-16517/config.sh index da4b4ae..1d2729a 100755 --- a/targets/nasm_cve-2018-16517/config.sh +++ b/targets/nasm_cve-2018-16517/config.sh @@ -1,4 +1,3 @@ - #!/bin/bash set -eux From dcb3dbe486f1cabf2dac66038c8470c69a4bf075 Mon Sep 17 00:00:00 2001 From: JP3BGY <6635381+JP3BGY@users.noreply.github.com> Date: Fri, 2 Jun 2023 09:26:40 +0000 Subject: [PATCH 3/4] delete file prefix in locations --- targets/nasm_cve-2018-16517/root_causes/locations | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/targets/nasm_cve-2018-16517/root_causes/locations b/targets/nasm_cve-2018-16517/root_causes/locations index de189f7..e1fc95b 100644 --- a/targets/nasm_cve-2018-16517/root_causes/locations +++ b/targets/nasm_cve-2018-16517/root_causes/locations @@ -1,7 +1,7 @@ -asm/nasm.c:1477 -asm/nasm.c:1478 -asm/nasm.c:1479 -asm/nasm.c:1480 -asm/nasm.c:1481 -asm/nasm.c:1482 -asm/nasm.c:1483 +nasm.c:1477 +nasm.c:1478 +nasm.c:1479 +nasm.c:1480 +nasm.c:1481 +nasm.c:1482 +nasm.c:1483 From 077aee7bfd04b3b3d52481f47b3ce6dcbbc3626e Mon Sep 17 00:00:00 2001 From: JP3BGY <6635381+JP3BGY@users.noreply.github.com> Date: Mon, 12 Jun 2023 19:02:25 +0900 Subject: [PATCH 4/4] Update crash_tags.yaml --- data_augmentation/methods/ConcFuzz/crash_tags.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data_augmentation/methods/ConcFuzz/crash_tags.yaml b/data_augmentation/methods/ConcFuzz/crash_tags.yaml index ebd9168..c4afef8 100644 --- a/data_augmentation/methods/ConcFuzz/crash_tags.yaml +++ b/data_augmentation/methods/ConcFuzz/crash_tags.yaml @@ -3,6 +3,6 @@ lua_cve-2019-6706: asan;0;lapi.c:1294 libjpeg_cve-2018-19664: asan;0;oracle_source/wrbmp.c:145 libjpeg_cve-2017-15232: asan;0;oracle_source/jquant1.c:536 libxml2_cve-2017-5969: asan;0;oracle_source/valid.c:1181 -nasm_cve-2018-16517: asan;2;oracle_source/asm/nasm.c:1484 +nasm_cve-2018-16517: asan;3;asm/nasm.c:1484 readelf_cve-2019-9077: asan;0;binutils/readelf.c:16204 mruby_hackerone-reports-185041: asan;4;error.c:290