Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Out-of-Bound Memory Write on "op_CopySlot_64" Function #471

Open
mobsceneZ opened this issue Apr 22, 2024 · 2 comments · May be fixed by #489
Open

[Security] Out-of-Bound Memory Write on "op_CopySlot_64" Function #471

mobsceneZ opened this issue Apr 22, 2024 · 2 comments · May be fixed by #489

Comments

@mobsceneZ
Copy link

Environment

OS               : Linux 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Commit           : 139076a98b8321b67f850a844f558b5e91b5ac83
Version          : 0.5.0
Clang Verison    : 13.0.0
Build            : mkdir -p build && cd build && export CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" && cmake .. && make -j8
Affected Tool    : wasm3
Enabled Features : None
Impact           : Out-of-Bound Memory Write
Command          : wasm3/build/wasm3 --func main poc.wasm
Validation       : Valid **(therefore not related to incomplete validation in wasm3)**

Proof of Concept

wasm3-poc-01.zip

Stack Trace Provide By AddressSanitizer

AddressSanitizer:DEADLYSIGNAL
=================================================================
==8615==ERROR: AddressSanitizer: SEGV on unknown address 0x63100003b188 (pc 0x000000530a20 bp 0x62d000000418 sp 0x7ffc799f26f0 T0)
==8615==The signal is caused by a WRITE memory access.
    #0 0x530a20 in op_CopySlot_64 /home/lain/wasm3/source/./m3_exec.h:998:11
    #1 0x53ed46 in RunCode /home/lain/wasm3/source/./m3_exec_defs.h:71:5
    #2 0x53ed46 in m3_CallArgv /home/lain/wasm3/source/m3_env.c:1013:25
    #3 0x4f947e in repl_call /home/lain/wasm3/platforms/app/main.c:298:14
    #4 0x4fafe3 in main /home/lain/wasm3/platforms/app/main.c
    #5 0x7f5be9858082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41ea5d in _start (/home/lain/wasm3/build/wasm3+0x41ea5d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wasm3/source/./m3_exec.h:998:11 in op_CopySlot_64
==8615==ABORTING
@tommie
Copy link

tommie commented May 31, 2024

(It would be nice if this bot provided WAT, like the one in #465.)

I think this is because the recursive call in CopyStackSlotsR assumes numSlots is 1, which fails for f64:

wasm3/source/m3_compile.c

Line 1042 in 139076a

_ (CopyStackSlotsR (o, i_targetSlotStackIndex + 1, i_stackIndex + 1, i_endStackIndex, i_tempSlot));

Fixing that removes the ASAN failure for me.

@tommie
Copy link

tommie commented May 31, 2024

Here is a minimal test case:

(module
  (func (;0;)
    block $1 (result f64 f64)
      block (result f64 f64)
        f64.const -0x1.ba17b2943f09fp-37
        f64.const -0x1.ba17b2943f09fp-37
        br $1
      end
    end
    drop
    drop)
  (export "main" (func 0)))

tommie added a commit to tommie/wasm3 that referenced this issue May 31, 2024
@tommie
fix: Makes CopyStackSlotsR use numSlots.
7ebf494 
Closes wasm3#471.
This was referenced May 31, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Makes CopyStackSlotsR use numSlots. tommie/wasm3
2 participants
@tommie @mobsceneZ