Binaryen: array_ptr_impl can cause buffer overflow in 32-bits build #3541

guhe120 · 2018-05-29T12:44:24Z

Hi,

In function array_ptr_impl in Binaryen.hpp:

template

inline array_ptr array_ptr_impl (interpreter_interface* interface, uint32_t ptr, uint32_t length)

{
return array_ptr((T*)(interface->get_validated_pointer(ptr, length * (uint32_t)sizeof(T))));
}

Here we have full control of the |length| parameter, in 32-bits process, length * (uint32_t)sizeof(T) could overflow 32-bits integer range and results in a very small value, which then bypasses the boundary check in get_validated_pointer and returns an over-sized array_ptr.

Then we can read/write out of the bounds of the wasm memory buffer with this over-sized array_ptr.

This is a submission to EOS bug bounty program.

This bug credits to:

Yuki Chen of Qihoo 360 Vulcan Team.

Thank you!

Resolved issues #3540 and #3541

arhag added this to the Version 1.0 milestone May 29, 2018

larryk85 self-assigned this May 29, 2018

larryk85 added a commit that referenced this issue May 29, 2018

Resolved issues #3540 and #3541

3432284

bytemaster added a commit that referenced this issue May 30, 2018

Merge pull request #3572 from EOSIO/fix/analysis_fixes

1827154

Resolved issues #3540 and #3541

bytemaster closed this as completed May 30, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Binaryen: array_ptr_impl can cause buffer overflow in 32-bits build #3541

Binaryen: array_ptr_impl can cause buffer overflow in 32-bits build #3541

guhe120 commented May 29, 2018

Binaryen: array_ptr_impl can cause buffer overflow in 32-bits build #3541

Binaryen: array_ptr_impl can cause buffer overflow in 32-bits build #3541

Comments

guhe120 commented May 29, 2018