fizzy icon indicating copy to clipboard operation
fizzy copied to clipboard

Published 20 hours ago verified publisher icon wasmx

Memory Corruption Risk: Invalid READ in uvwasi_serdes_readv_ciovec_t during WASI Execution

Open JulianWu520 opened this issue 6 months ago • 0 comments

Hi,

Running fizzy-wasi with poc2.wasm results in a segmentation fault due to an invalid memory READ in the uvwasi_serdes_readv_ciovec_t function, indicating a potential memory corruption issue.

build

mkdir build && cd build
cmake -DFIZZY_WASI=ON -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_LINKER_FLAGS="-fsanitize=address" ..
 cmake --build .

POC:

julianwu@RLab:~/Work/WebAssembly/fizzy/build/bin/crashes_output$ ../../../../fizzy-test/fizzy/build/bin/fizzy-wasi poc2.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==930395==ERROR: AddressSanitizer: SEGV on unknown address 0x631100014802 (pc 0x5643986a8428 bp 0x0fffa4a0afee sp 0x7ffd25057f10 T0)
==930395==The signal is caused by a READ memory access.
    #0 0x5643986a8428 in uvwasi_serdes_readv_ciovec_t (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0xbf428)
    #1 0x564398604984 in fd_write /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:49
    #2 0x5643986267f4 in execute<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:570
    #3 0x56439862aa59 in invoke_function<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:540
    #4 0x56439862aa59 in execute<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:665
    #5 0x564398636954 in fizzy::execute(fizzy::Instance&, unsigned int, fizzy::Value const*) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:1626
    #6 0x564398605732 in fizzy::wasi::run(fizzy::wasi::UVWASI&, fizzy::Instance&, int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:215
    #7 0x56439860bf56 in fizzy::wasi::run(std::basic_string_view<unsigned char, std::char_traits<unsigned char> >, int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:232
    #8 0x56439860f142 in fizzy::wasi::load_and_run(int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:241
    #9 0x564398602bd5 in main /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/main.cpp:19
    #10 0x7f432b285d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7f432b285e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #12 0x564398602e34 in _start (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0x19e34)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0xbf428) in uvwasi_serdes_readv_ciovec_t
==930395==ABORTING

poc2.zip

JulianWu520 avatar Aug 27 '24 07:08 JulianWu520