[Nasm-bugs] [Bug 3392761] New: NULL Pointer dereference on do_directive caused by %unmacro

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Wed Jun 2 13:40:34 PDT 2021

Previous message (by thread): [Nasm-bugs] [Bug 3392760] Stack use-after-scope in expand_mmac_params for indirect macro expansion
Next message (by thread): [Nasm-bugs] [Bug 3392761] NULL Pointer dereference on do_directive caused by %unmacro
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://bugzilla.nasm.us/show_bug.cgi?id=3392761

            Bug ID: 3392761
           Summary: NULL Pointer dereference on do_directive caused by
                    %unmacro
           Product: NASM
           Version: 2.16 (development)
          Hardware: PC
                OS: Linux
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: mvanotti at protonmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

There's a NULL pointer dereference in the do_directive function, caused by an
%unmacro.

Here's a reproducer:

```asm
%macro baz 0
  %unmacro F 0
%endmacro
baz
```

Compile it with:

```shell
$ nasm -f elf64 -g -F DWARF -o tmp.o -werror file.asm
```

Compile nasm with address sanitizer support.

Here's the Address Sanitizer error:

```
asm/preproc.c:4336:32: runtime error: load of null pointer of type 'MMacro *'
(aka 'struct MMacro *')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior asm/preproc.c:4336:32
in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==766206==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000056ee95 bp 0x7ffe64c14990 sp 0x7ffe64c14480 T0)
==766206==The signal is caused by a READ memory access.
==766206==Hint: address points to the zero page.
    #0 0x56ee95 in do_directive /home/markov/nasm/asm/preproc.c:4336:29
    #1 0x5331f9 in pp_tokline /home/markov/nasm/asm/preproc.c:7264:13
    #2 0x530674 in pp_getline /home/markov/nasm/asm/preproc.c:7328:17
    #3 0x4bf742 in assemble_file /home/markov/nasm/asm/nasm.c:1722:24
    #4 0x4bf742 in main /home/markov/nasm/asm/nasm.c:717:9
    #5 0x7f0cb2a4a0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41c64d in _start (/home/markov/nasm/nasm+0x41c64d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/markov/nasm/asm/preproc.c:4336:29 in
do_directive
==766206==ABORTING

```

In the case of PP_UNMACRO, it will populate `mmac_p` with `(MMacro **)
hash_findi(&mmacros, spec.name, NULL);`, but that might return NULL.

Thus, in the following lines, there's this code:

```
        /* Check the macro to be undefined is not being expanded */
        list_for_each(l, istk->expansion) {
            if (l->finishes == *mmac_p) {
                nasm_nonfatal("`%%unmacro' can't undefine the macro being
expanded");
                /*
                 * Do not release the macro instance to avoid using the freed
                 * memory while proceeding the expansion.
                 */
                goto done;
            }
        }
```

Dereferencing mmac_p inside that list_for_each is invalid if mmac_p is NULL.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

Previous message (by thread): [Nasm-bugs] [Bug 3392760] Stack use-after-scope in expand_mmac_params for indirect macro expansion
Next message (by thread): [Nasm-bugs] [Bug 3392761] NULL Pointer dereference on do_directive caused by %unmacro
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Nasm-bugs mailing list