[Nasm-bugs] [Bug 3392725] In NASM 2.15.05, there is a heap-buffer-overflow vulnerability in asm/preproc.c, line 6352.
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Tue Apr 19 18:19:45 PDT 2022
https://bugzilla.nasm.us/show_bug.cgi?id=3392725
--- Comment #3 from Liam Bowen <liambowen at gmail.com> ---
Additional findings:
When invoked with the sanitizer, I get this error as well, a little before the
alleged heap overflow:
asm/preproc.c:2445:25: runtime error: member access within null pointer of type
'struct Token'
Notes for those reproducing: when I pass these to configure:
./configure --disable-optimization --enable-sanitizer
Optimization is *not* disabled. Optimization for some reason is still -O2. I
edited the Makefile manually and replaced -O2 with -O0. The ./configure --help
lied to me.
I think the bug has to do with this:
in asm/preproc.c:2445, &t->next is taken while t is NULL.
This seems to occur because in the loop containing that statement, which is a
"while (true)", at the end of the loop, there's line 2457:
t = skip_white(t->next); /* Eat the comma and whitespace */
At one point this is actually called when t->next is 0, which causes it to
return 0. So then t is zero and the loop repeats. Here's the "t" that causes
this:
$13 = {
next = 0x0,
type = TOKEN_COMMA,
len = 1,
text = {
a = ",", '\000' <repeats 46 times>,
p = {
pad = ",", '\000' <repeats 38 times>,
ptr = 0x0
}
}
}
When the loop repeats, t->next is referenced (when t is null). Later, a warning
is printed because of this:
warning: dropping trailing empty parameter in call to multi-line macro `b_'
[-w+macro-params-legacy]
Then, shortly after the mangled data structure for the multi-line macro "b_" is
constructed, that same macro is referenced in expand_mmacro with our call to
"paramlen[i] += white + 1", which is where the sanitizer is triggered.
This is what tline is when expand_mmacro is called during the crash (I'm mostly
writing this part so I can come up with a simpler repexp):
(gdb) p *tline
$17 = {
next = 0x7ffff3992940,
type = TOKEN_ID,
len = 5,
text = {
a = "b_\226\254\254", '\000' <repeats 42 times>,
p = {
pad = "b_\226\254\254", '\000' <repeats 34 times>,
ptr = 0x0
}
}
}
So these problems are related.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list