wabt icon indicating copy to clipboard operation
wabt copied to clipboard
verified publisher icon WebAssembly

Segmentation fault in wabt::cat_compute_size

Open Q1IQ opened this issue 3 years ago • 1 comments

Environment

OS      : Linux ubuntu 5.13.0-51-generic #58~20.04.1-Ubuntu SMP Tue Jun 14 11:29:12 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : 57e6a58bfdd0babfd6f7fe401c9f2d8238ec3213
Version : 1.0.29

Proof of concept

poc.wasm.zip

Stack dump

./wasm-decompile --enable-all ./poc.wasm

pwndbg> r  --enable-all ./poc.wasm
Starting program: ./wasm-decompile --enable-all ./poc.wasm

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f50234 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator std::basic_string_view<char, std::char_traits<char> >() const () from /lib/x86_64-linux-gnu/libstdc++.so.6
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────
 RAX  0x4
 RBX  0x6323e0 (__libc_csu_init) ◂— endbr64 
 RCX  0x7fffffffbc98 ◂— 0x4
 RDX  0x63b2a7 ◂— 0x6c652000207b2029 /* ') { ' */
 RDI  0x0
 RSI  0x63b1b1 ◂— 0x7274705f007d20 /* ' }' */
 R8   0x63b1b1 ◂— 0x7274705f007d20 /* ' }' */
 R9   0x63b1b1 ◂— 0x7274705f007d20 /* ' }' */
 R10  0x7fffffffc7a0 —▸ 0x7fffffffc7b0 —▸ 0x7fffffffc700 —▸ 0x7fffffffc720 —▸ 0x7fffffffc750 ◂— ...
 R11  0x7fffffffceb8 ◂— 0x0
 R12  0x54fef0 (_start) ◂— endbr64 
 R13  0x7fffffffdec0 ◂— 0x3
 R14  0x0
 R15  0x0
 RBP  0x7fffffffbc80 —▸ 0x7fffffffbcc0 —▸ 0x7fffffffbd10 —▸ 0x7fffffffbd60 —▸ 0x7fffffffbdc0 ◂— ...
 RSP  0x7fffffffbc48 —▸ 0x5befc9 ◂— mov    qword ptr [rbp - 0x20], rax
 RIP  0x7ffff7f50234 ◂— mov    rdx, qword ptr [rdi]
───────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────
 ► 0x7ffff7f50234    mov    rdx, qword ptr [rdi]
   0x7ffff7f50237    mov    rax, qword ptr [rdi + 8]
   0x7ffff7f5023b    ret    
 
   0x7ffff7f5023c    nop    dword ptr [rax]
   0x7ffff7f50240    endbr64 
   0x7ffff7f50244    mov    rax, qword ptr [rdi]
   0x7ffff7f50247    ret    
 
   0x7ffff7f50248    nop    dword ptr [rax + rax]
   0x7ffff7f50250    endbr64 
   0x7ffff7f50254    push   r12
   0x7ffff7f50256    shl    rsi, 2
───────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffbc48 —▸ 0x5befc9 ◂— mov    qword ptr [rbp - 0x20], rax
01:0008│     0x7fffffffbc50 —▸ 0x7fffffffbc80 —▸ 0x7fffffffbcc0 —▸ 0x7fffffffbd10 —▸ 0x7fffffffbd60 ◂— ...
02:0010│     0x7fffffffbc58 —▸ 0x5514f1 ◂— mov    rcx, qword ptr [rbp - 0x18]
03:0018│     0x7fffffffbc60 —▸ 0x719fb0 —▸ 0x71a000 —▸ 0x71a130 —▸ 0x71a0d0 ◂— ...
04:0020│     0x7fffffffbc68 —▸ 0x7fffffffbc98 ◂— 0x4
05:0028│     0x7fffffffbc70 —▸ 0x63b1b1 ◂— 0x7274705f007d20 /* ' }' */
06:0030│     0x7fffffffbc78 ◂— 0x0
07:0038│ rbp 0x7fffffffbc80 —▸ 0x7fffffffbcc0 —▸ 0x7fffffffbd10 —▸ 0x7fffffffbd60 —▸ 0x7fffffffbdc0 ◂— ...
─────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────
 ► f 0   0x7ffff7f50234
   f 1         0x5befc9
   f 2         0x5bef9b
   f 3         0x5bef47
   f 4         0x5bee9b
   f 5         0x5ba4e0
   f 6         0x5a9325
   f 7         0x5a4b56 wabt::Decompiler::Decompile[abi:cxx11]()+3622
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff7f50234 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator std::basic_string_view<char, std::char_traits<char> >() const () from /lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x00000000005befc9 in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#2  0x00000000005bef9b in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#3  0x00000000005bef47 in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#4  0x00000000005bee9b in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#5  0x00000000005ba4e0 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > wabt::cat<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#6  0x00000000005a9325 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) ()
#7  0x00000000005a4b56 in wabt::Decompiler::Decompile[abi:cxx11]() ()
#8  0x00000000005a33b5 in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) ()
#9  0x0000000000550432 in ProgramMain(int, char**) ()
#10 0x0000000000550752 in main ()
#11 0x00007ffff7a92083 in __libc_start_main (main=0x550730 <main>, argc=3, argv=0x7fffffffdec8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdeb8) at ../csu/libc-start.c:308
#12 0x000000000054ff1e in _start ()

Credit

P1umer(@P1umer) Q1IQ(@Q1IQ)

Q1IQ avatar Jun 24 '22 06:06 Q1IQ

This is CVE-2023-27115 .

rathann avatar Mar 17 '23 11:03 rathann