[Nasm-bugs] [Bug 3392761] New: NULL Pointer dereference on do_directive caused by %unmacro
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Wed Jun 2 13:40:34 PDT 2021
https://bugzilla.nasm.us/show_bug.cgi?id=3392761
Bug ID: 3392761
Summary: NULL Pointer dereference on do_directive caused by
%unmacro
Product: NASM
Version: 2.16 (development)
Hardware: PC
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: mvanotti at protonmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
There's a NULL pointer dereference in the do_directive function, caused by an
%unmacro.
Here's a reproducer:
```asm
%macro baz 0
%unmacro F 0
%endmacro
baz
```
Compile it with:
```shell
$ nasm -f elf64 -g -F DWARF -o tmp.o -werror file.asm
```
Compile nasm with address sanitizer support.
Here's the Address Sanitizer error:
```
asm/preproc.c:4336:32: runtime error: load of null pointer of type 'MMacro *'
(aka 'struct MMacro *')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior asm/preproc.c:4336:32
in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==766206==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000056ee95 bp 0x7ffe64c14990 sp 0x7ffe64c14480 T0)
==766206==The signal is caused by a READ memory access.
==766206==Hint: address points to the zero page.
#0 0x56ee95 in do_directive /home/markov/nasm/asm/preproc.c:4336:29
#1 0x5331f9 in pp_tokline /home/markov/nasm/asm/preproc.c:7264:13
#2 0x530674 in pp_getline /home/markov/nasm/asm/preproc.c:7328:17
#3 0x4bf742 in assemble_file /home/markov/nasm/asm/nasm.c:1722:24
#4 0x4bf742 in main /home/markov/nasm/asm/nasm.c:717:9
#5 0x7f0cb2a4a0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x41c64d in _start (/home/markov/nasm/nasm+0x41c64d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/markov/nasm/asm/preproc.c:4336:29 in
do_directive
==766206==ABORTING
```
In the case of PP_UNMACRO, it will populate `mmac_p` with `(MMacro **)
hash_findi(&mmacros, spec.name, NULL);`, but that might return NULL.
Thus, in the following lines, there's this code:
```
/* Check the macro to be undefined is not being expanded */
list_for_each(l, istk->expansion) {
if (l->finishes == *mmac_p) {
nasm_nonfatal("`%%unmacro' can't undefine the macro being
expanded");
/*
* Do not release the macro instance to avoid using the freed
* memory while proceeding the expansion.
*/
goto done;
}
}
```
Dereferencing mmac_p inside that list_for_each is invalid if mmac_p is NULL.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list