Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out of Memory Problem in function wasm::WasmBinaryBuilder::readUserSection(unsigned long) #1866

Closed
wcventure opened this issue Jan 12, 2019 · 1 comment

Comments

@wcventure
Copy link

Hi, there.

A Out-of-Memory problem was discovered in wasm::WasmBinaryBuilder::readUserSection(unsigned long) function in wasm-binary.cpp. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

  1. Program Abort because of std::bad_alloc exception.
    Use "./wasm-merge $POC" to reproduce the error.
    POC1.zip

Program Output

terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
Aborted

The ASAN dumps the stack trace as follows:

==9550==WARNING: AddressSanitizer failed to allocate 0xfffffffffffffffc bytes
==9550==AddressSanitizer's allocator is terminating the process instead of returning 0
==9550==If you don't like this behavior set allocator_may_return_null=1
==9550==AddressSanitizer CHECK failed: /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225 "((0)) != (0)" (0x0, 0x0)
    #0 0x5d1dd5 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_rtl.cc:69
    #1 0x5ef695 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x5d81d6 in __sanitizer::ReportAllocatorCannotReturnNull() /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225
    #3 0x5d8216 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:241
    #4 0x50e307 in __asan::asan_memalign(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_allocator.cc:900
    #5 0x60121f in operator new(unsigned long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #6 0x89ae8b in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/ext/new_allocator.h:111:27
    #7 0x89ae8b in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/alloc_traits.h:436
    #8 0x89ae8b in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:172
    #9 0x89ae8b in std::vector<char, std::allocator<char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/vector.tcc:571
    #10 0x89ae8b in std::vector<char, std::allocator<char> >::resize(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:692
    #11 0x840f67 in wasm::WasmBinaryBuilder::readUserSection(unsigned long) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:723:18
    #12 0x81412a in wasm::WasmBinaryBuilder::read() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:692:9
    #13 0x912c7d in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:52:10
    #14 0x915750 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:71:5
    #15 0x60aa08 in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm-merge.cpp:617:16
    #16 0x7f7b2fdad82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x508d58 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm-merge+0x508d58)
  1. possibly invalid request for silly amounts of memory
    Use "wasm-opt $POC" to reproduce the error.
    POC2.zip

Program Output

Fatal: error in building module, std::bad_alloc (possibly invalid request for silly amounts of memory)

The ASAN dumps the stack trace as follows:

==22673==WARNING: AddressSanitizer failed to allocate 0xffffffffffffffff bytes
==22673==AddressSanitizer's allocator is terminating the process instead of returning 0
==22673==If you don't like this behavior set allocator_may_return_null=1
==22673==AddressSanitizer CHECK failed: /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225 "((0)) != (0)" (0x0, 0x0)
    #0 0x5e2705 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_rtl.cc:69
    #1 0x5fffc5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x5e8b06 in __sanitizer::ReportAllocatorCannotReturnNull() /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225
    #3 0x5e8b46 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:241
    #4 0x51ec37 in __asan::asan_memalign(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_allocator.cc:900
    #5 0x611b4f in operator new(unsigned long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #6 0xa0537b in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/ext/new_allocator.h:111:27
    #7 0xa0537b in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/alloc_traits.h:436
    #8 0xa0537b in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:172
    #9 0xa0537b in std::vector<char, std::allocator<char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/vector.tcc:571
    #10 0xa0537b in std::vector<char, std::allocator<char> >::resize(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:692
    #11 0x9ab457 in wasm::WasmBinaryBuilder::readUserSection(unsigned long) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:723:18
    #12 0x97e61a in wasm::WasmBinaryBuilder::read() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:692:9
    #13 0xa7ebfd in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:52:10
    #14 0xa816d0 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:71:5
    #15 0x624a39 in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm-opt.cpp:144:14
    #16 0x7f262eb2482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x519688 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm-opt+0x519688)
@kripken
Copy link
Member

kripken commented Jan 15, 2019

Thanks! Fix in #1869.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants