A Out-of-Memory problem was discovered in wasm::WasmBinaryBuilder::readUserSection(unsigned long) function in wasm-binary.cpp. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.
Program Abort because of std::bad_alloc exception.
Use "./wasm-merge $POC" to reproduce the error. POC1.zip
Program Output
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
Aborted
The ASAN dumps the stack trace as follows:
==9550==WARNING: AddressSanitizer failed to allocate 0xfffffffffffffffc bytes
==9550==AddressSanitizer's allocator is terminating the process instead of returning 0
==9550==If you don't like this behavior set allocator_may_return_null=1
==9550==AddressSanitizer CHECK failed: /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225 "((0)) != (0)" (0x0, 0x0)
#0 0x5d1dd5 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_rtl.cc:69
#1 0x5ef695 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
#2 0x5d81d6 in __sanitizer::ReportAllocatorCannotReturnNull() /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225
#3 0x5d8216 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:241
#4 0x50e307 in __asan::asan_memalign(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_allocator.cc:900
#5 0x60121f in operator new(unsigned long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
#6 0x89ae8b in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/ext/new_allocator.h:111:27
#7 0x89ae8b in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/alloc_traits.h:436
#8 0x89ae8b in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:172
#9 0x89ae8b in std::vector<char, std::allocator<char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/vector.tcc:571
#10 0x89ae8b in std::vector<char, std::allocator<char> >::resize(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:692
#11 0x840f67 in wasm::WasmBinaryBuilder::readUserSection(unsigned long) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:723:18
#12 0x81412a in wasm::WasmBinaryBuilder::read() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:692:9
#13 0x912c7d in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:52:10
#14 0x915750 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:71:5
#15 0x60aa08 in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm-merge.cpp:617:16
#16 0x7f7b2fdad82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#17 0x508d58 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm-merge+0x508d58)
possibly invalid request for silly amounts of memory
Use "wasm-opt $POC" to reproduce the error. POC2.zip
Program Output
Fatal: error in building module, std::bad_alloc (possibly invalid request for silly amounts of memory)
The ASAN dumps the stack trace as follows:
==22673==WARNING: AddressSanitizer failed to allocate 0xffffffffffffffff bytes
==22673==AddressSanitizer's allocator is terminating the process instead of returning 0
==22673==If you don't like this behavior set allocator_may_return_null=1
==22673==AddressSanitizer CHECK failed: /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225 "((0)) != (0)" (0x0, 0x0)
#0 0x5e2705 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_rtl.cc:69
#1 0x5fffc5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
#2 0x5e8b06 in __sanitizer::ReportAllocatorCannotReturnNull() /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225
#3 0x5e8b46 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:241
#4 0x51ec37 in __asan::asan_memalign(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_allocator.cc:900
#5 0x611b4f in operator new(unsigned long) /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
#6 0xa0537b in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/ext/new_allocator.h:111:27
#7 0xa0537b in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/alloc_traits.h:436
#8 0xa0537b in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:172
#9 0xa0537b in std::vector<char, std::allocator<char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/vector.tcc:571
#10 0xa0537b in std::vector<char, std::allocator<char> >::resize(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:692
#11 0x9ab457 in wasm::WasmBinaryBuilder::readUserSection(unsigned long) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:723:18
#12 0x97e61a in wasm::WasmBinaryBuilder::read() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:692:9
#13 0xa7ebfd in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:52:10
#14 0xa816d0 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:71:5
#15 0x624a39 in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm-opt.cpp:144:14
#16 0x7f262eb2482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#17 0x519688 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm-opt+0x519688)
The text was updated successfully, but these errors were encountered:
Hi, there.
A Out-of-Memory problem was discovered in wasm::WasmBinaryBuilder::readUserSection(unsigned long) function in wasm-binary.cpp. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.
Use "./wasm-merge $POC" to reproduce the error.
POC1.zip
Program Output
The ASAN dumps the stack trace as follows:
Use "wasm-opt $POC" to reproduce the error.
POC2.zip
Program Output
The ASAN dumps the stack trace as follows:
The text was updated successfully, but these errors were encountered: