wabt icon indicating copy to clipboard operation
wabt copied to clipboard

Published 20 hours ago verified publisher icon WebAssembly

Invalid Read Memory in wabt::interp

Open Messi-Q opened this issue 1 year ago • 1 comments

Version

commit 4beb525 Author: Peng Qian [email protected] Date: Wen Jun 10:48:12 2024

Compile

cd wabt
mkdir build
cd build 
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" ..
make

Reproduce

./wasm-interp id:000008,sig:11,src:003840,op:havoc,rep:2

ASAN Log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1084839==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x562656e0b4a1 bp 0x7ffc49ce8f90 sp 0x7ffc49ce8f60 T0)
==1084839==The signal is caused by a READ memory access.
==1084839==Hint: address points to the zero page.
    #0 0x562656e0b4a0 in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:734
    #1 0x562656e098aa in wabt::interp::Memory::Init(unsigned long, wabt::interp::DataSegment const&, unsigned long, unsigned long) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:617
    #2 0x562656e1e4fd in wabt::interp::Thread::DoMemoryInit(wabt::interp::Instr, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:2091
    #3 0x562656e179d8 in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:1526
    #4 0x562656e12a69 in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:1094
    #5 0x562656e12911 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:1086
    #6 0x562656e06de6 in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:428
    #7 0x562656e067be in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*, wabt::Stream*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:394
    #8 0x562656e10021 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:952
    #9 0x562656d3c22f in InstantiateModule /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/tools/wasm-interp.cc:340
    #10 0x562656d3c797 in ReadAndRunModule /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/tools/wasm-interp.cc:423
    #11 0x562656d3cbe0 in ProgramMain(int, char**) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/tools/wasm-interp.cc:450
    #12 0x562656d3cc92 in main /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/tools/wasm-interp.cc:456
    #13 0x7f5648576082 in __libc_start_main ../csu/libc-start.c:308
    #14 0x562656d3825d in _start (/home/peng/Documents/all_wasm_vm/new_version_test/wabt/build/wasm-interp+0x5325d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:734 in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const
==1084839==ABORTING

PoC

PoC

Messi-Q avatar Jun 19 '24 02:06 Messi-Q

minified:

;;; TOOL: run-gen-wasm-interp
magic
version
section(TYPE) { count[1] function params[0] results[0] }
section(FUNCTION) { count[1] type[0] }
section(MEMORY) { count[1] flags[0] min[1] }
section(START) { start_function[0] }
section(DATACOUNT) { count[1] }
section(CODE) {
  count[1]
  func {
    locals[0]
    i32.const value[0]
    i32.const value[0]
    i32.const value[0]
    memory.init dataidx[0] memidx[0]
  }
}

SoniEx2 avatar Jun 19 '24 03:06 SoniEx2