w2c2 icon indicating copy to clipboard operation
w2c2 copied to clipboard

Published 20 hours ago verified publisher icon turbolent

call_indirect not sandboxed properly

Open zyedidia opened this issue 2 years ago • 3 comments

I noticed that the translation of call_indirect has no dynamic checking needed to enforce sandboxing. For example, this program causes a segmentation fault:

(module
    (memory (;0;) 2)
    (export "memory" (memory 0))
    (type $fntype (func (result i32)))
    (table 32 funcref)
    (func (export "_start") (type $fntype)
        (call_indirect (type $fntype) (i32.const 33))
    )
)

The indirect call gets translated to this:

#define TF(table, index, t) ((t)((table).data[index]))
U32 f0(testInstance*i) {
U32 si0;
si0=33U;
si0=TF(i->t0,si0,U32 (*)(testInstance*))(i);
L0:;
return si0;
}

which directly accesses the function in the table at the requested index and calls it without any checking.

I think there should be several checks:

  • The index must be in the bounds of the table.
  • The function at the requested index must not be null.
  • The type of the function being called must match the requested call_indirect signature.

I think the indirect call tests may be getting skipped due to an unsupported global export, but haven't looked into it.

If w2c2 is intended to be used for sandboxing then this is a vulnerability (if not, then the readme should clearly indicate that this tool is not safe to use for sandboxing).

It also looks like w2c2 does not support indirect calls across multiple modules, even in multi-module mode. Is that correct?

Thanks!

zyedidia avatar Jul 27 '23 21:07 zyedidia

At the moment, w2c2 just translates WebAssembly to C, it does not (yet) have any support for sandboxing translated modules.

Support for sandboxing is not intentionally unavailable, but so far I have not needed it yet – support for sandboxing could be added, and PRs are very welcome! wasm2c employs some techniques that could be ported to w2c2.

turbolent avatar Jul 28 '23 22:07 turbolent

It also looks like w2c2 does not support indirect calls across multiple modules, even in multi-module mode. Is that correct?

How would that look like? Do you have an example?

turbolent avatar Jul 29 '23 17:07 turbolent

I don’t have an example on hand at the moment but I think it’s possible to import a function from another module and then put it in an indirect function table. I was mostly looking at the differences between w2c2 and wasm2c and noticed that in wasm2c indirect function calls may use a different target module than the current module.

zyedidia avatar Jul 29 '23 21:07 zyedidia