Skip to content
a020ad6ad9
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
crasm-fuzz/bug-null-pointer/
crasm-fuzz/bug-null-pointer/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

NULL Pointer Exception

Overview

As a result of invalid input validation (CWE-233: Improper Handling of Parameters), specific files passed to the command line application, crasm, can lead to a NULL pointer dereference (CWE-476: NULL Pointer Dereference) in the function Xasc.

About

crasm is a command line utility available on the Ubuntu package manager and GitHub which assembles code for the 6800, 6801, 6803, 6502, 65C02, and Z80. At the time of writing, the current version is 1.8-3 on Ubuntu and commit 5471a9f on GitHub.

Vulnerability

The char * oper parameter in the function Xasc is not checked prior to assignment to s and then dereferenced and assigned to delemiter.

int Xasc(int modifier, char* label, char* mnemo, char* oper)
{
  register char* s;
  register char r;
  register char delimiter;

  s = oper;
  delimiter = *s;

The caller function asmline also fails to validate input prior to passing control to the callee. The ptr member of the labmnemo contains the address of the callee function, in this case, Xasc.

int asmline(char* s, int status)
...
    if (status & 2)
    {
      (*labmnemo->ptr)(labmnemo->modifier, label, mnemo, oper);
    }
...

Affected versions

  • 1.8-3 (as of writing, the current version) available on the Ubuntu package manager.
  • Versions compiled from commit 932f3293f96f36bfe32f8d8d70a5ba693d3b3193 and below.

Minimum Viable Patch

A patch was submitted to the maintainer and merged into the source repository with merge request #7 containing the patch below. The version installed with Ubuntu (22.10 and 22.04) remain vulnerable as of writing.

diff --git a/src/pseudos.c b/src/pseudos.c
index a1613ee..802939c 100644
--- a/src/pseudos.c
+++ b/src/pseudos.c
@@ -213,6 +213,11 @@ int Xnam(int modifier, char* label, char* mnemo, char* oper)
 /*  ASC string  */
 int Xasc(int modifier, char* label, char* mnemo, char* oper)
 {
+
+  if (oper == NULL) {
+    error("Need an operand");
+  }
+
   register char* s;
   register char r;
   register char delimiter;

Recommended Common Vulnerability Score

  • Overall: 1.6
    • CVSS Base Score: 1.7
    • Impact Subscore: 1.4
    • Exploitability Subscore: 0.3

Validation:

To validate the existence of NULL pointer dereference, use the include test case for cause a segmentation fault. The file is passed in as the first argument to the program.

$ lsb_release -rd
Description:    Ubuntu 22.04.1 LTS
Release:        22.04

# Using apt
$ apt update
$ apt install crasm
$ apt list | grep crasm
crasm/jammy,now 1.8-3 amd64 [installed]

$ crasm /4ed6eacf6ec3c24f587ec3321b5fd739480c96a7679c8108f2f6034f07ecaff4
Pass #1
Segmentation fault

# Using git
$ apt install git make clang
$ git clone https://github.com/colinbourassa/crasm.git
$ cd crasm
$ git checkout 932f3293f96f36bfe32f8d8d70a5ba693d3b3193
$ CC=clang make
8 warnings generated.
clang -O -Wall   -c -o cpuz80.o cpuz80.c
clang -O -Wall  -o crasm crasm.o stdvocabulary.o pseudos.o macro.o label.o parse.o filter.o operator.o output.o xref.o scode.o cpulist.o cpu6800.o cpu6502.o cpuz80.o -lm
done
make[1]: Leaving directory '/crasm/src'

./src/crasm /4ed6eacf6ec3c24f587ec3321b5fd739480c96a7679c8108f2f6034f07ecaff4
Pass #1
Segmentation fault

Backtrace

Using lldb, observe that oper is NULL.

$ lldb -- ./crasm ./4ed6eacf6ec3c24f587ec3321b5fd739480c96a7679c8108f2f6034f07ecaff4
(lldb) run
Process 99307 launched: '/crasm/src/crasm' (x86_64)
Pass #1
Process 99307 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x00000001000037b3 crasm`Xasc(modifier=0, label="msgb", mnemo="asc", oper=0x0000000000000000) at pseudos.c:221:15
   218    register char delimiter;
   219
   220    s = oper;
-> 221    delimiter = *s;
   222
   223    if (delimiter != '\'' && delimiter != '\"')
   224    {
Target 0: (crasm) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001000037b3 crasm`Xasc(modifier=0, label="msgb", mnemo="asc", oper=0x0000000000000000) at pseudos.c:221:15
    frame #1: 0x0000000100002d6c crasm`asmline(s="asc", status=3) at crasm.c:562:7
    frame #2: 0x00000001000027b1 crasm`pass(n=1) at crasm.c:274:9
    frame #3: 0x0000000100002490 crasm`crasm(flag=138) at crasm.c:180:3
    frame #4: 0x0000000100002292 crasm`main(argc=0, argv=0x00007ff7bfeff440) at crasm.c:147:5
    frame #5: 0x00007ff812381310 dyld`start + 2432