wasm3 icon indicating copy to clipboard operation
wasm3 copied to clipboard
verified publisher icon wasm3

[Security] Assertion Failure in GetStackTopIndex causing SIGABRT

Open oneafter opened this issue 2 months ago • 0 comments

Description

We have encountered a crash (SIGABRT) in Wasm3 due to a failed assertion within the compiler logic. The issue occurs during the compilation of a WebAssembly function, specifically when handling Opcode 113.

The assertion suggests an inconsistency in the stack height tracking during the compilation phase, where o->stackIndex is invalid relative to o->stackFirstDynamicIndex, leading to a process abort.

Environment

  • OS: Linux x86_64
  • Complier: Clang
  • Tools: gdb
  • Affected Version: master branch

Vulnerability Details

  • Location: source/m3_compile.c:216
  • Function: GetStackTopIndex
  • Trigger Condition:
Assertion failed: o->stackIndex > o->stackFirstDynamicIndex or IsStackPolymorphic (o)
  • Implication: The compiler attempts to access the top of the stack for an operation, but internal tracking indicates the stack is empty or underflowed relative to the current block, and the code path is not marked as polymorphic.

Reproduce

gdb --args ./wasm3 repro
r
bt

Download Link: repro

Stack Trace (GDB)

Assertion failed at /src/wasm3/source/m3_compile.c:216 : o->stackIndex > o->stackFirstDynamicIndex or IsStackPolymorphic (o)

Program received signal SIGABRT, Aborted.
0x00007f7dd15acb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007f7dd15acb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f7dd155327e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f7dd15368ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x000055e4b1eac0fa in GetStackTopIndex (o=0x526000000100)
    at /src/wasm3/source/m3_compile.c:216
#4  0x000055e4b1eac674 in IsStackTopInRegister (o=0x526000000100)
    at /src/wasm3/source/m3_compile.c:273
#5  0x000055e4b1eb78cd in Compile_Operator (o=0x526000000100, i_opcode=113)
    at /src/wasm3/source/m3_compile.c:2127
#6  0x000055e4b1eb8a61 in CompileBlockStatements (o=0x526000000100)
    at /src/wasm3/source/m3_compile.c:2610
#7  0x000055e4b1ebb1fe in CompileFunction (io_function=0x50c000000040)
    at /src/wasm3/source/m3_compile.c:2908
#8  0x000055e4b1ec150f in m3_FindFunction (o_function=0x7ffcb3205500, 
    i_runtime=0x526000000100, i_functionName=0x55e4b1f45940 "_start")
    at /src/wasm3/source/m3_env.c:750
#9  0x000055e4b1e6141a in repl_call (name=0x55e4b1f45940 "_start", argc=1, 
    argv=0x7ffcb3206200) at /src/wasm3/platforms/app/main.c:258
#10 0x000055e4b1e6449f in main (i_argc=0, i_argv=0x7ffcb3206208)
    at /src/wasm3/platforms/app/main.c:637

oneafter avatar Dec 04 '25 01:12 oneafter