[Nasm-bugs] [Bug 3392725] In NASM 2.15.05, there is a heap-buffer-overflow vulnerability in asm/preproc.c, line 6352.

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Tue Apr 19 18:19:45 PDT 2022

Previous message (by thread): [Nasm-bugs] [Bug 3392725] In NASM 2.15.05, there is a heap-buffer-overflow vulnerability in asm/preproc.c, line 6352.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://bugzilla.nasm.us/show_bug.cgi?id=3392725

--- Comment #3 from Liam Bowen <liambowen at gmail.com> ---
Additional findings:

When invoked with the sanitizer, I get this error as well, a little before the
alleged heap overflow:

asm/preproc.c:2445:25: runtime error: member access within null pointer of type
'struct Token'

Notes for those reproducing: when I pass these to configure:

./configure --disable-optimization --enable-sanitizer

Optimization is *not* disabled. Optimization for some reason is still -O2. I
edited the Makefile manually and replaced -O2 with -O0. The ./configure --help
lied to me.

I think the bug has to do with this:

in asm/preproc.c:2445, &t->next is taken while t is NULL.

This seems to occur because in the loop containing that statement, which is a
"while (true)", at the end of the loop, there's line 2457:
t = skip_white(t->next); /* Eat the comma and whitespace */

At one point this is actually called when t->next is 0, which causes it to
return 0. So then t is zero and the loop repeats. Here's the "t" that causes
this:

$13 = {
  next = 0x0,
  type = TOKEN_COMMA,
  len = 1,
  text = {
    a =       ",", '\000' <repeats 46 times>,
    p = {
      pad =         ",", '\000' <repeats 38 times>,
      ptr = 0x0
    }
  }
}

When the loop repeats, t->next is referenced (when t is null). Later, a warning
is printed because of this:
 warning: dropping trailing empty parameter in call to multi-line macro `b_'
[-w+macro-params-legacy]

Then, shortly after the mangled data structure for the multi-line macro "b_" is
constructed, that same macro is referenced in expand_mmacro with our call to
"paramlen[i] += white + 1", which is where the sanitizer is triggered.

This is what tline is when expand_mmacro is called during the crash (I'm mostly
writing this part so I can come up with a simpler repexp):

(gdb) p *tline
$17 = {
  next = 0x7ffff3992940,
  type = TOKEN_ID,
  len = 5,
  text = {
    a =       "b_\226\254\254", '\000' <repeats 42 times>,
    p = {
      pad =         "b_\226\254\254", '\000' <repeats 34 times>,
      ptr = 0x0
    }
  }
}

So these problems are related.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

Previous message (by thread): [Nasm-bugs] [Bug 3392725] In NASM 2.15.05, there is a heap-buffer-overflow vulnerability in asm/preproc.c, line 6352.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Nasm-bugs mailing list