For example, when the input only contains (), wavm -c $FILE reports
=================================================================
==21660==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d0 at pc 0x00000089fb37 bp 0x7ffcd9799aa0 sp 0x7ffcd9799a98
READ of size 4 at 0x6020000000d0 thread T0
#0 0x89fb36 in loadModule(char const*, IR::Module&) /home/hongxu/FOT/WAVM/Include/Inline/CLI.h:147:5
#1 0x89d167 in run(CommandLineOptions const&) /home/hongxu/FOT/WAVM/Programs/wavm/wavm.cpp:140:6
#2 0x89d0a7 in main /home/hongxu/FOT/WAVM/Programs/wavm/wavm.cpp:404:9
#3 0x7f62a805bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#4 0x79fc09 in _start (/home/hongxu/FOT/WAVM/bin/wavm+0x79fc09)
0x6020000000d3 is located 0 bytes to the right of 3-byte region [0x6020000000d0,0x6020000000d3)
allocated by thread T0 here:
#0 0x898070 in operator new(unsigned long) (/home/hongxu/FOT/WAVM/bin/wavm+0x898070)
#1 0x8a511f in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/ext/new_allocator.h:111:27
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/WAVM/Include/Inline/CLI.h:147:5 in loadModule(char const*, IR::Module&)
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8010: fa fa fd fa fa fa 00 00 fa fa[03]fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21660==ABORTING
[1] 21660 abort ~/FOT/WAVM/bin/wavm -c ./test.wast
In another extreme case, when the input is empty string, it raises SIGSEGV.
The text was updated successfully, but these errors were encountered:
During loading module (https://github.com/WAVM/WAVM/blob/master/Include/Inline/CLI.h#L147, as of 234e8b9), there is a missing check for cases where file bytes are less than 4 bytes. This may crash wavm.
For example, when the input only contains
(),wavm -c $FILEreportsIn another extreme case, when the input is empty string, it raises
SIGSEGV.The text was updated successfully, but these errors were encountered: