[Nasm-bugs] [Bug 3392576] New: asm/pragma.c: NULL-ptr dereference in limit pragma parser

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Tue Jun 18 18:16:48 PDT 2019

Previous message (by thread): [Nasm-bugs] [Bug 3392575] New: global-array out-of-bounds access in do_directive
Next message (by thread): [Nasm-bugs] [Bug 3392577] New: Use after free in pp_tokline
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://bugzilla.nasm.us/show_bug.cgi?id=3392576

            Bug ID: 3392576
           Summary: asm/pragma.c: NULL-ptr dereference in limit pragma
                    parser
           Product: NASM
           Version: 2.14.xx
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: rkx1209dev at gmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

Created attachment 411720
  --> https://bugzilla.nasm.us/attachment.cgi?id=411720&action=edit
Proof of Concept ASM file

If "%pragma limit" doesn't follow any words, asm parser reaches end of file 
and nasm_get_word() returns NULL.

However process_pragma() still try to continue parse parameters of limit
pragma, 
that is intended to be located at next word.

As a result nasm_set_limit() is called with NULL pointer, cause NULL-ptr
dereference.

./nasm-2.14.02/nasm -felf64 ~/nullderef_nasm-2.14.02_pragma_limit
Segmentation fault (core dumped)

(gdb) bt
#0  __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
#1  0x000000000040268d in nasm_set_limit (limit=0x0, valstr=0x0) at
asm/nasm.c:199
#2  0x0000000000442fd4 in search_pragma_list (list=<optimized out>,
default_name=0x0, generic_handler=0x0, 
    pragma=0x7fffffffe0a0) at asm/pragma.c:137
#3  0x0000000000442b83 in process_pragma (str=<optimized out>) at
asm/pragma.c:218
#4  0x000000000043f22d in process_directives (directive=0x7a4021 "pragma") at
asm/directiv.c:503
#5  0x0000000000407eaa in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1498
#6  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:617
(gdb) up
#1  0x000000000040268d in nasm_set_limit (limit=0x0, valstr=0x0) at
asm/nasm.c:199
199             if (!nasm_stricmp(limit, limit_info[i].name))
(gdb) p/x limit
$1 = 0x0

Thanks
Ren

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.

Previous message (by thread): [Nasm-bugs] [Bug 3392575] New: global-array out-of-bounds access in do_directive
Next message (by thread): [Nasm-bugs] [Bug 3392577] New: Use after free in pp_tokline
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Nasm-bugs mailing list