[Nasm-bugs] [Bug 3392790] New: Infinite loop in paste_tokens()

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Mon Dec 13 03:50:06 PST 2021


https://bugzilla.nasm.us/show_bug.cgi?id=3392790

            Bug ID: 3392790
           Summary: Infinite loop in paste_tokens()
           Product: NASM
           Version: 2.16 (development)
          Hardware: All
                OS: Linux
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: wyxaidai at gmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

Created attachment 411841
  --> https://bugzilla.nasm.us/attachment.cgi?id=411841&action=edit
poc

An infinite loop was discovered in gpaste_tokens()

./nasm -f bin ./poc_hang -o 1
./poc_hang:1: warning: unterminated %{ construct [-w+other]
./poc_hang:1: error: parser: instruction expected
./poc_hang:4: error: label or instruction expected at start of line
./poc_hang:10: error: `%macro' expects a parameter count
./poc_hang:10: warning: too many default macro parameters in macro `b_struc$1'
[-w+macro-defaults]
./poc_hang:12: warning: unterminated string [-w+other]
./poc_hang:22: warning: unterminated %{ construct [-w+other]
./poc_hang:35: error: label or instruction expected at start of line
./poc_hang:38: error: parser: instruction expected
./poc_hang:40: warning: unterminated %[ construct [-w+other]


0x00005555555c2025 in paste_tokens (head=head at entry=0x7fffffffdc28,
m=m at entry=0x555555601060 <tmatch>,
 mnum=mnum at entry=1, handle_explicit=handle_explicit at entry=true) at
asm/preproc.c:4994
4994                if (!prev_nonspace) {
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS
]─────────────────────────────────────────────
*RAX  0x0
 RBX  0x555555601068 ◂— 0x0
*RCX  0x131
 RDX  0x555555601068 ◂— 0x0
 RDI  0xffffff70
 RSI  0xf
 R8   0x7ffff7d88e50 —▸ 0x7ffff7d88d10 —▸ 0x7ffff7d890d0 —▸ 0x7ffff7d88fd0 —▸
0x7ffff7d88f90 ◂— ...
 R9   0xffffff70
 R10  0x5c
 R11  0x7ffff7faabe0 (main_arena+96) —▸ 0x5555557593d0 ◂— 0x0
 R12  0x5555555ffffc ◂— 0xfffc1feefffc2011
 R13  0x5555555fff84 ◂— 0xfffc1f19fffc1f29
*R14  0x7ffff7d890d0 —▸ 0x7ffff7d88fd0 —▸ 0x7ffff7d88f90 —▸ 0x7ffff7d88f10 —▸
0x7ffff7d89290 ◂— ...
*R15  0x7ffff7d88d10 —▸ 0x7ffff7d890d0 —▸ 0x7ffff7d88fd0 —▸ 0x7ffff7d88f90 —▸
0x7ffff7d88f10 ◂— ...
*RBP  0x0
 RSP  0x7fffffffdbb0 ◂— 0x1
*RIP  0x5555555c2025 (paste_tokens+757) ◂— test   rbp, rbp
──────────────────────────────────────────────[ DISASM
]──────────────────────────────────────────────
 ► 0x5555555c2025 <paste_tokens+757>    test   rbp, rbp
   0x5555555c2028 <paste_tokens+760>    je     paste_tokens+905               
<paste_tokens+905>
    ↓
   0x5555555c20b9 <paste_tokens+905>    mov    rbp, qword ptr [rsp + 0x18]
   0x5555555c20be <paste_tokens+910>    mov    qword ptr [rsp], 0
   0x5555555c20c6 <paste_tokens+918>    mov    r14, rbp
   0x5555555c20c9 <paste_tokens+921>    jmp    paste_tokens+777               
<paste_tokens+777>
    ↓
   0x5555555c2039 <paste_tokens+777>    mov    r15, qword ptr [r14]
   0x5555555c203c <paste_tokens+780>    test   r15, r15
   0x5555555c203f <paste_tokens+783>    je     paste_tokens+864               
<paste_tokens+864>

   0x5555555c2041 <paste_tokens+785>    mov    rdi, r15
   0x5555555c2044 <paste_tokens+788>    jmp    paste_tokens+813               
<paste_tokens+813>
──────────────────────────────────────────[ SOURCE (CODE)
]───────────────────────────────────────────
In file: /root/fuckit/nasm/asm/preproc.c
   4989                 break;
   4990
   4991             did_paste = true;
   4992
   4993             /* Left pasting token is start of line, just drop %+ */
 ► 4994             if (!prev_nonspace) {
   4995                 prev_next = nextp = head;
   4996                 t = NULL;
   4997             } else {
   4998                 prev_next = prev_nonspace;
   4999                 t = *prev_next;
──────────────────────────────────────────────[ STACK
]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdbb0 ◂— 0x1
01:0008│     0x7fffffffdbb8 ◂— 0x0
02:0010│     0x7fffffffdbc0 —▸ 0x555555601060 (tmatch) ◂— 0x1f0000000f
03:0018│     0x7fffffffdbc8 —▸ 0x7fffffffdc28 —▸ 0x7ffff7d88e50 —▸
0x7ffff7d88d10 —▸ 0x7ffff7d890d0 ◂— ...
04:0020│     0x7fffffffdbd0 ◂— 0x101000018
05:0028│     0x7fffffffdbd8 ◂— 0x1e0081800c278400
06:0030│     0x7fffffffdbe0 —▸ 0x7fffffffdc28 —▸ 0x7ffff7d88e50 —▸
0x7ffff7d88d10 —▸ 0x7ffff7d890d0 ◂— ...
07:0038│     0x7fffffffdbe8 ◂— 0x1
────────────────────────────────────────────[ BACKTRACE
]─────────────────────────────────────────────
 ► f 0   0x5555555c2025 paste_tokens+757
   f 1   0x5555555c2260 expand_smacro_noreset+160
   f 2   0x5555555c40f3 expand_mmac_params+259
   f 3   0x5555555c40f3 expand_mmac_params+259
   f 4   0x5555555c764b pp_getline+603
   f 5   0x5555555c764b pp_getline+603
   f 6   0x5555555b197f assemble_file+911
   f 7   0x5555555aef39 main+1273
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00005555555c2025 in paste_tokens (head=head at entry=0x7fffffffdc28,
m=m at entry=0x555555601060 <tmatch>, mnum=mnum at entry=1,
handle_explicit=handle_explicit at entry=true) at asm/preproc.c:4994
#1  0x00005555555c2260 in expand_smacro_noreset (org_tline=0x7ffff7d88d50) at
asm/preproc.c:5925
#2  0x00005555555c40f3 in expand_smacro (tline=<optimized out>) at
asm/preproc.c:5865
#3  expand_mmac_params (tline=0x0) at asm/preproc.c:5338
#4  0x00005555555c764b in pp_tokline () at asm/preproc.c:7258
#5  pp_getline () at asm/preproc.c:7328
#6  0x00005555555b197f in assemble_file (fname=0x5555557027e0
"/root/fuckit/nasm/out1213/hangs/id:000040,src:000010+001117,op:splice,rep:32",
depend_list=0x0) at asm/nasm.c:1722
#7  0x00005555555aef39 in main (argc=argc at entry=4,
argv=argv at entry=0x7fffffffe208) at asm/nasm.c:717
#8  0x00007ffff7de60b3 in __libc_start_main (main=0x5555555aea40 <main>,
argc=4, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
#9  0x00005555555af8fe in _start () at asm/nasm.c:512

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.


More information about the Nasm-bugs mailing list