[Nasm-bugs] [Bug 3392562] New: Nullptr deref in expand_smacro
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Wed Mar 13 13:03:39 PDT 2019
https://bugzilla.nasm.us/show_bug.cgi?id=3392562
Bug ID: 3392562
Summary: Nullptr deref in expand_smacro
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: bugs-syssec at rub.de
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411716
--> https://bugzilla.nasm.us/attachment.cgi?id=411716&action=edit
nullptr_deref-expand_smacro.asm
While fuzzing NASM, a nullptr deref (write) was discovered. It can be triggered
by running `./nasm nullptr_deref-expand_smacro.asm`
Version:
NASM version 2.15rc0 compiled on Mar 13 2019
git master (commit 0bddd0f1b14aa614e1dd1c14297527dc24dee29c)
ASAN output:
```
expand_smacro.asm:2: error: `%9': not in a macro call
expand_smacro.asm:3: warning: unterminated string [-w+other]
expand_smacro.asm:3: error: macro call expects terminating `)'
ASAN:DEADLYSIGNAL
=================================================================
==16563==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc
0x00000052d3fa bp 0x7ffe6ea135f0 sp 0x7ffe6ea13460 T0)
==16563==The signal is caused by a WRITE memory access.
==16563==Hint: address points to the zero page.
#0 0x52d3f9 in expand_smacro
/home/sww13/fuzz/target/nasm/nasm-git/asm/preproc.c:4231:55
#1 0x520d5d in pp_getline
/home/sww13/fuzz/target/nasm/nasm-git/asm/preproc.c:5176:21
#2 0x501f01 in assemble_file
/home/sww13/fuzz/target/nasm/nasm-git/asm/nasm.c:1549:24
#3 0x5007e8 in main /home/sww13/fuzz/target/nasm/nasm-git/asm/nasm.c:609:9
#4 0x7f8e1aa2f222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#5 0x41c269 in _start
(/home/simon/Code/syssec/workdir/nasm/nasm-asan+0x41c269)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/sww13/fuzz/target/nasm/nasm-git/asm/preproc.c:4231:55 in expand_smacro
==16563==ABORTING
```
Valgrind output:
```
==16463== Memcheck, a memory error detector
==16463== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==16463== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==16463== Command: ./nasm-plain expand_smacro.asm
==16463==
expand_smacro.asm:2: error: `%9': not in a macro call
expand_smacro.asm:3: warning: unterminated string [-w+other]
expand_smacro.asm:3: error: macro call expects terminating `)'
==16463== Invalid write of size 1
==16463== at 0x16B572: expand_smacro (preproc.c:4231)
==16463== by 0x17043E: pp_getline (preproc.c:5176)
==16463== by 0x15CE21: assemble_file (nasm.c:1549)
==16463== by 0x15ADC7: main (nasm.c:609)
==16463== Address 0x11 is not stack'd, malloc'd or (recently) free'd
==16463==
==16463==
==16463== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==16463== Access not within mapped region at address 0x11
==16463== at 0x16B572: expand_smacro (preproc.c:4231)
==16463== by 0x17043E: pp_getline (preproc.c:5176)
==16463== by 0x15CE21: assemble_file (nasm.c:1549)
==16463== by 0x15ADC7: main (nasm.c:609)
==16463== If you believe this happened as a result of a stack
==16463== overflow in your program's main thread (unlikely but
==16463== possible), you can try to increase the size of the
==16463== main thread stack using the --main-stacksize= flag.
==16463== The main thread stack size used in this run was 8388608.
==16463==
==16463== HEAP SUMMARY:
==16463== in use at exit: 308,055 bytes in 717 blocks
==16463== total heap usage: 1,167 allocs, 450 frees, 324,661 bytes allocated
==16463==
==16463== LEAK SUMMARY:
==16463== definitely lost: 0 bytes in 0 blocks
==16463== indirectly lost: 0 bytes in 0 blocks
==16463== possibly lost: 0 bytes in 0 blocks
==16463== still reachable: 308,055 bytes in 717 blocks
==16463== suppressed: 0 bytes in 0 blocks
==16463== Rerun with --leak-check=full to see details of leaked memory
==16463==
==16463== For counts of detected and suppressed errors, rerun with: -v
==16463== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list