fizzy icon indicating copy to clipboard operation
fizzy copied to clipboard

Published 20 hours ago verified publisher icon wasmx

Memory Corruption Vulnerability: Invalid WRITE in uvwasi_serdes_write_uint32_t during WASI Execution

Open JulianWu520 opened this issue 6 months ago • 0 comments

Hi,

Running fizzy-wasi with poc1.wasm triggers a segmentation fault due to an invalid memory WRITE in the uvwasi_serdes_write_uint32_t function, potentially leading to memory corruption.

build

mkdir build && cd build
cmake -DFIZZY_WASI=ON -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_LINKER_FLAGS="-fsanitize=address" ..
 cmake --build .

Proof-Of-Concept

julianwu@RLab:~/Work/WebAssembly/fizzy/build/bin/crashes_output$ ../../../../fizzy-test/fizzy/build/bin/fizzy-wasi poc1.wasm
hello �orld
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4094410==ERROR: AddressSanitizer: SEGV on unknown address 0x6311000147ef (pc 0x56487025e2a4 bp 0x0fffabb40c20 sp 0x7ffd5da060a8 T0)
==4094410==The signal is caused by a WRITE memory access.
    #0 0x56487025e2a4 in uvwasi_serdes_write_uint32_t (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0xbe2a4)
    #1 0x5648701bbbef in fd_write /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:56
    #2 0x5648701dd7f4 in execute<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:570
    #3 0x5648701e1a59 in invoke_function<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:540
    #4 0x5648701e1a59 in execute<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:665
    #5 0x5648701ed954 in fizzy::execute(fizzy::Instance&, unsigned int, fizzy::Value const*) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:1626
    #6 0x5648701bc732 in fizzy::wasi::run(fizzy::wasi::UVWASI&, fizzy::Instance&, int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:215
    #7 0x5648701c2f56 in fizzy::wasi::run(std::basic_string_view<unsigned char, std::char_traits<unsigned char> >, int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:232
    #8 0x5648701c6142 in fizzy::wasi::load_and_run(int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:241
    #9 0x5648701b9bd5 in main /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/main.cpp:19
    #10 0x7f93368b0d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7f93368b0e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #12 0x5648701b9e34 in _start (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0x19e34)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0xbe2a4) in uvwasi_serdes_write_uint32_t
==4094410==ABORTING

poc1.zip

JulianWu520 avatar Aug 27 '24 06:08 JulianWu520