wabt
wabt copied to clipboard
Published
20 hours ago •
WebAssembly
WebAssembly
Aborted in CWriter::MangleType at wasm2c
Title
Aborted in CWriter::MangleType at wasm2c
Environment
OS : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit : 3054d61f703d609995798f872fc86b462617c294
Version : 1.0.29
Build : make clang-debug-asan
Proof of concept
poc.wasm2c-2.wasm poc_wasm2c-2.wasm.zip
Stack dump
gdb /wabt/out/clang/Debug/asan/wasm2c
pwndbg> r --enable-multi-memory ./poc.wasm2c-2.wasm
context:
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
RAX 0x0
*RBX 0x7ffff7a357c0 ◂— 0x7ffff7a357c0
*RCX 0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
RDX 0x0
*RDI 0x2
*RSI 0x7fffffff9a90 ◂— 0x0
R8 0x0
*R9 0x7fffffff9a90 ◂— 0x0
*R10 0x8
*R11 0x246
*R12 0x43e420 (_start) ◂— endbr64
*R13 0x7fffffffe070 ◂— 0x3
R14 0x0
R15 0x0
*RBP 0x7fffffff9df0 —▸ 0x7fffffffa270 —▸ 0x7fffffffa3c0 —▸ 0x7fffffffa690 —▸ 0x7fffffffc3c0 ◂— ...
*RSP 0x7fffffff9a90 ◂— 0x0
*RIP 0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
───────────────────────────────────[ DISASM ]───────────────────────────────────
► 0x7ffff7a7b00b <raise+203> mov rax, qword ptr [rsp + 0x108]
0x7ffff7a7b013 <raise+211> xor rax, qword ptr fs:[0x28]
0x7ffff7a7b01c <raise+220> jne raise+260 <raise+260>
↓
0x7ffff7a7b044 <raise+260> call __stack_chk_fail <__stack_chk_fail>
0x7ffff7a7b049 nop dword ptr [rax]
0x7ffff7a7b050 <killpg> endbr64
0x7ffff7a7b054 <killpg+4> test edi, edi
0x7ffff7a7b056 <killpg+6> js killpg+16 <killpg+16>
0x7ffff7a7b058 <killpg+8> neg edi
0x7ffff7a7b05a <killpg+10> jmp kill <kill>
0x7ffff7a7b05f <killpg+15> nop
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ rsi r9 rsp 0x7fffffff9a90 ◂— 0x0
01:0008│ 0x7fffffff9a98 ◂— 0xfffffffffffffffb
02:0010│ 0x7fffffff9aa0 —▸ 0x757525 ◂— cli
03:0018│ 0x7fffffff9aa8 ◂— 0x0
... ↓ 4 skipped
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
► f 0 0x7ffff7a7b00b raise+203
f 1 0x7ffff7a5a859 abort+299
f 2 0x5074f0
f 3 0x52cebf
f 4 0x545a44
f 5 0x535a2f
f 6 0x528543
f 7 0x51dd51
────────────────────────────────────────────────────────────────────────────────
backtrace_msg:
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7a5a859 in __GI_abort () at abort.c:79
#2 0x00000000005074f0 in wabt::(anonymous namespace)::CWriter::MangleType (type=...) at ../../../../src/c-writer.cc:427
#3 0x000000000052cebf in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, sv=...) at ../../../../src/c-writer.cc:701
#4 0x0000000000545a44 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::StackVar, char const (&) [4], char const*, char const (&) [2], wabt::(anonymous namespace)::Name<2>, char const (&) [9], wabt::(anonymous namespace)::StackVar> (this=0x7fffffffce30, t=..., u=..., args=..., args=..., args=..., args=..., args=...) at ../../../../src/c-writer.cc:204
#5 0x0000000000535a2f in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, expr=warning: RTTI symbol not found for class 'wabt::LoadStoreExpr<(wabt::ExprType)47>'
...) at ../../../../src/c-writer.cc:2752
#6 0x0000000000528543 in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:2043
#7 0x000000000051dd51 in wabt::(anonymous namespace)::CWriter::Write<wabt::intrusive_list<wabt::Expr> const&, wabt::(anonymous namespace)::LabelDecl> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:204
#8 0x000000000051bd15 in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, func=...) at ../../../../src/c-writer.cc:1423
#9 0x000000000051b647 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::Func const&, wabt::(anonymous namespace)::Newline> (this=0x7fffffffce30, t=..., u=..., args=...) at ../../../../src/c-writer.cc:205
#10 0x000000000051182d in wabt::(anonymous namespace)::CWriter::WriteFuncs (this=0x7fffffffce30) at ../../../../src/c-writer.cc:1393
#11 0x0000000000500bf4 in wabt::(anonymous namespace)::CWriter::WriteCSource (this=0x7fffffffce30) at ../../../../src/c-writer.cc:2794
#12 0x00000000004ffcd7 in wabt::(anonymous namespace)::CWriter::WriteModule (this=0x7fffffffce30, module=...) at ../../../../src/c-writer.cc:2807
#13 0x00000000004ff48d in wabt::WriteC (c_stream=0x7fffffffdaa0, h_stream=0x7fffffffdaa0, header_name=0x7ccce0 <str> "wasm.h", module=0x7fffffffd2b0, options=...) at ../../../../src/c-writer.cc:2819
#14 0x00000000004f11b4 in ProgramMain (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:179
#15 0x00000000004f37f2 in main (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:190
#16 0x00007ffff7a5c083 in __libc_start_main (main=0x4f37d0 <main(int, char**)>, argc=3, argv=0x7fffffffe078, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe068) at ../csu/libc-start.c:308
#17 0x000000000043e44e in _start ()
wasm2c currently aborts on any SIMD instructions or types. Probably it should configure the validator to disable SIMD (or we should implement SIMD in wasm2c).
This particular one is a bit silly -- a well-detected unsupported feature (in this case, it was SIMD) doesn't represent a security vulnerability, even if the program is missing a helpful error message. I suspect if wasm2c threw exceptions instead of aborting (and had a descriptive error message), nobody would have been confused here. But, MITRE didn't ask our opinion before issuing the CVE, and I imagine the reporter here was eager to have a CVE credited to them. :-/