[Nasm-bugs] [Bug 3392562] New: Nullptr deref in expand_smacro

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Wed Mar 13 13:03:39 PDT 2019

Previous message (by thread): [Nasm-bugs] [Bug 3392561] %ifn in a certain context allows undefined symbol, which activates its clause
Next message (by thread): [Nasm-bugs] [Bug 3392562] Nullptr deref in expand_smacro
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://bugzilla.nasm.us/show_bug.cgi?id=3392562

            Bug ID: 3392562
           Summary: Nullptr deref in expand_smacro
           Product: NASM
           Version: unspecified
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: bugs-syssec at rub.de
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

Created attachment 411716
  --> https://bugzilla.nasm.us/attachment.cgi?id=411716&action=edit
nullptr_deref-expand_smacro.asm

While fuzzing NASM, a nullptr deref (write) was discovered. It can be triggered
by running `./nasm nullptr_deref-expand_smacro.asm`

Version:
NASM version 2.15rc0 compiled on Mar 13 2019
git master (commit 0bddd0f1b14aa614e1dd1c14297527dc24dee29c)

ASAN output:
```
expand_smacro.asm:2: error: `%9': not in a macro call
expand_smacro.asm:3: warning: unterminated string [-w+other]
expand_smacro.asm:3: error: macro call expects terminating `)'
ASAN:DEADLYSIGNAL
=================================================================
==16563==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc
0x00000052d3fa bp 0x7ffe6ea135f0 sp 0x7ffe6ea13460 T0)
==16563==The signal is caused by a WRITE memory access.
==16563==Hint: address points to the zero page.
    #0 0x52d3f9 in expand_smacro
/home/sww13/fuzz/target/nasm/nasm-git/asm/preproc.c:4231:55
    #1 0x520d5d in pp_getline
/home/sww13/fuzz/target/nasm/nasm-git/asm/preproc.c:5176:21
    #2 0x501f01 in assemble_file
/home/sww13/fuzz/target/nasm/nasm-git/asm/nasm.c:1549:24
    #3 0x5007e8 in main /home/sww13/fuzz/target/nasm/nasm-git/asm/nasm.c:609:9
    #4 0x7f8e1aa2f222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #5 0x41c269 in _start
(/home/simon/Code/syssec/workdir/nasm/nasm-asan+0x41c269)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/sww13/fuzz/target/nasm/nasm-git/asm/preproc.c:4231:55 in expand_smacro
==16563==ABORTING
```

Valgrind output:
```
==16463== Memcheck, a memory error detector
==16463== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==16463== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==16463== Command: ./nasm-plain expand_smacro.asm
==16463== 
expand_smacro.asm:2: error: `%9': not in a macro call
expand_smacro.asm:3: warning: unterminated string [-w+other]
expand_smacro.asm:3: error: macro call expects terminating `)'
==16463== Invalid write of size 1
==16463==    at 0x16B572: expand_smacro (preproc.c:4231)
==16463==    by 0x17043E: pp_getline (preproc.c:5176)
==16463==    by 0x15CE21: assemble_file (nasm.c:1549)
==16463==    by 0x15ADC7: main (nasm.c:609)
==16463==  Address 0x11 is not stack'd, malloc'd or (recently) free'd
==16463== 
==16463== 
==16463== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==16463==  Access not within mapped region at address 0x11
==16463==    at 0x16B572: expand_smacro (preproc.c:4231)
==16463==    by 0x17043E: pp_getline (preproc.c:5176)
==16463==    by 0x15CE21: assemble_file (nasm.c:1549)
==16463==    by 0x15ADC7: main (nasm.c:609)
==16463==  If you believe this happened as a result of a stack
==16463==  overflow in your program's main thread (unlikely but
==16463==  possible), you can try to increase the size of the
==16463==  main thread stack using the --main-stacksize= flag.
==16463==  The main thread stack size used in this run was 8388608.
==16463== 
==16463== HEAP SUMMARY:
==16463==     in use at exit: 308,055 bytes in 717 blocks
==16463==   total heap usage: 1,167 allocs, 450 frees, 324,661 bytes allocated
==16463== 
==16463== LEAK SUMMARY:
==16463==    definitely lost: 0 bytes in 0 blocks
==16463==    indirectly lost: 0 bytes in 0 blocks
==16463==      possibly lost: 0 bytes in 0 blocks
==16463==    still reachable: 308,055 bytes in 717 blocks
==16463==         suppressed: 0 bytes in 0 blocks
==16463== Rerun with --leak-check=full to see details of leaked memory
==16463== 
==16463== For counts of detected and suppressed errors, rerun with: -v
==16463== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.

Previous message (by thread): [Nasm-bugs] [Bug 3392561] %ifn in a certain context allows undefined symbol, which activates its clause
Next message (by thread): [Nasm-bugs] [Bug 3392562] Nullptr deref in expand_smacro
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Nasm-bugs mailing list