Bugzilla – Bug 1047936
VUL-0: CVE-2017-10686: nasm: Multiple heap use after free vulnerabilities
Last modified: 2019-12-11 20:21:04 UTC
Created attachment 731747 [details] Reproducers CVE-2017-10686 In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that could cause multiple damages. For example, it causes a corrupted double-linked list in detoken(), a double free or corruption in delete_Token(), and an out-of-bounds write in detoken(). It has a high possibility to lead to a remote code execution attack. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10686 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10686.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10686 https://bugzilla.nasm.us/show_bug.cgi?id=3392414
The reproducer with nasm seems to cause valgrind to do funny things, Dump of assembler code from 0x443d6f to 0x443dbf: 0x0000000000443d6f <paste_tokens+894>: jmp 0x443dad <paste_tokens+956> 0x0000000000443d71 <paste_tokens+896>: mov -0x8(%rbp),%rax 0x0000000000443d75 <paste_tokens+900>: mov 0x8(%rax),%rdx 0x0000000000443d79 <paste_tokens+904>: mov -0x30(%rbp),%rax 0x0000000000443d7d <paste_tokens+908>: mov %rdx,%rsi 0x0000000000443d80 <paste_tokens+911>: mov %rax,%rdi 0x0000000000443d83 <paste_tokens+914>: callq 0x401260 <strcpy@plt> 0x0000000000443d88 <paste_tokens+919>: mov -0x30(%rbp),%rax 0x0000000000443d8c <paste_tokens+923>: mov $0x0,%esi 0x0000000000443d91 <paste_tokens+928>: mov %rax,%rdi 0x0000000000443d94 <paste_tokens+931>: callq 0x4012f0 <strchr@plt> 0x0000000000443d99 <paste_tokens+936>: mov %rax,-0x30(%rbp) 0x0000000000443d9d <paste_tokens+940>: mov -0x8(%rbp),%rax 0x0000000000443da1 <paste_tokens+944>: mov %rax,%rdi 0x0000000000443da4 <paste_tokens+947>: callq 0x43d2b0 <delete_Token> 0x0000000000443da9 <paste_tokens+952>: mov %rax,-0x8(%rbp) 0x0000000000443dad <paste_tokens+956>: mov -0x8(%rbp),%rax 0x0000000000443db1 <paste_tokens+960>: cmp -0x10(%rbp),%rax 0x0000000000443db5 <paste_tokens+964>: jne 0x443d71 <paste_tokens+896> 0x0000000000443db7 <paste_tokens+966>: mov -0x48(%rbp),%rax 0x0000000000443dbb <paste_tokens+970>: mov %rax,%rdi 0x0000000000443dbe <paste_tokens+973>: callq 0x43c28e <tokenize> End of assembler dump. And doing stepi results in this execution trace, rip 0x443d6f 0x443d6f <paste_tokens+894> rip 0x443dad 0x443dad <paste_tokens+956> rip 0x443db1 0x443db1 <paste_tokens+960> rip 0x443db5 0x443db5 <paste_tokens+964> rip 0x443ca8 0x443ca8 <paste_tokens+695> <--- HUH?? Execution has correct path running this without valgrind (3.13.0-196.d_t.1)
Patches submitted upstream for review.
Fixes submitted to all codestreams. Re-assining back to security team.
This is an autogenerated message for OBS integration: This bug (1047936) was mentioned in https://build.opensuse.org/request/show/512649 Factory / nasm
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-08-11. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63807
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-08-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63812
SUSE-SU-2017:2044-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1047925,1047936 CVE References: CVE-2017-10686,CVE-2017-11111 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): nasm-2.10.09-4.5.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): nasm-2.10.09-4.5.1
SUSE-SU-2017:2045-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1047936 CVE References: CVE-2017-10686 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): nasm-2.03.90-2.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): nasm-2.03.90-2.3.1
release for Leap, done
openSUSE-SU-2017:2125-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1047925,1047936 CVE References: CVE-2017-10686,CVE-2017-11111 Sources used: openSUSE Leap 42.3 (src): nasm-2.10.09-10.1 openSUSE Leap 42.2 (src): nasm-2.10.09-7.3.1
SUSE-SU-2019:14246-1: An update that fixes 118 vulnerabilities is now available. Category: security (important) Bug References: 1000036,1001652,1025108,1029377,1029902,1040164,104105,1042670,1043008,1044946,1047925,1047936,1048299,1049186,1050653,1056058,1058013,1066242,1066953,1070738,1070853,1072320,1072322,1073796,1073798,1073799,1073803,1073808,1073818,1073823,1073829,1073830,1073832,1073846,1074235,1077230,1079761,1081750,1082318,1087453,1087459,1087463,1088573,1091764,1094814,1097158,1097375,1097401,1097404,1097748,1104841,1105019,1107030,1109465,1117473,1117626,1117627,1117629,1117630,1120644,1122191,1123482,1124525,1127532,1129346,1130694,1130840,1133452,1133810,1134209,1138459,1140290,1140868,1141853,1144919,1145665,1146090,1146091,1146093,1146094,1146095,1146097,1146099,1146100,1149323,1153423,1154738,1447070,1447409,744625,744629,845955,865853,905528,917607,935856,937414,947747,948045,948602,955142,957814,957815,961254,962297,966076,966077,985201,986541,991344,998743 CVE References: CVE-2013-2882,CVE-2013-6639,CVE-2013-6640,CVE-2013-6668,CVE-2014-0224,CVE-2015-3193,CVE-2015-3194,CVE-2015-5380,CVE-2015-7384,CVE-2016-2086,CVE-2016-2178,CVE-2016-2183,CVE-2016-2216,CVE-2016-5172,CVE-2016-5325,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7099,CVE-2017-1000381,CVE-2017-10686,CVE-2017-11111,CVE-2017-11499,CVE-2017-14228,CVE-2017-14849,CVE-2017-14919,CVE-2017-15896,CVE-2017-15897,CVE-2017-17810,CVE-2017-17811,CVE-2017-17812,CVE-2017-17813,CVE-2017-17814,CVE-2017-17815,CVE-2017-17816,CVE-2017-17817,CVE-2017-17818,CVE-2017-17819,CVE-2017-17820,CVE-2017-18207,CVE-2017-3735,CVE-2017-3736,CVE-2017-3738,CVE-2018-0732,CVE-2018-1000168,CVE-2018-12115,CVE-2018-12116,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-20406,CVE-2018-20852,CVE-2018-7158,CVE-2018-7159,CVE-2018-7160,CVE-2018-7161,CVE-2018-7167,CVE-2019-10160,CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11718,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-13173,CVE-2019-15903,CVE-2019-5010,CVE-2019-5737,CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518,CVE-2019-9636,CVE-2019-9811,CVE-2019-9812,CVE-2019-9947 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, firefox-atk-2.26.1-2.8.4, firefox-cairo-1.15.10-2.13.4, firefox-gcc5-5.3.1+r233831-14.1, firefox-gcc8-8.2.1+r264010-2.5.1, firefox-gdk-pixbuf-2.36.11-2.8.4, firefox-glib2-2.54.3-2.14.7, firefox-gtk3-3.10.9-2.15.3, firefox-harfbuzz-1.7.5-2.7.4, firefox-libffi-3.2.1.git259-2.3.3, firefox-libffi-gcc5-5.3.1+r233831-14.1, firefox-pango-1.40.14-2.7.4, mozilla-nspr-4.21-29.6.1, mozilla-nss-3.45-38.9.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.