Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer Deference in wasm::SExpressionWasmBuilder::parseExpression(wasm::Element&) in wasm-s-parser.cpp #1867

Closed
wcventure opened this issue Jan 13, 2019 · 1 comment
Closed

Null pointer Deference in wasm::SExpressionWasmBuilder::parseExpression(wasm::Element&) in wasm-s-parser.cpp #1867

wcventure opened this issue Jan 13, 2019 · 1 comment

Comments

@wcventure
Copy link

Hi, there.

A Null pointer Deference problem was discovered in wasm::SExpressionWasmBuilder::parseExpression(wasm::Element&) in wasm-s-parser.cpp. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "wasm-as $POC" or "wasm2js $POC" to reproduce the problem.
POC.zip

The ASAN dumps the stack trace as follows:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==7649==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d0 (pc 0x0000018d832f bp 0x7fffd64e9650 sp 0x7fffd64e9620 T0)
==7649==The signal is caused by a READ memory access.
==7649==Hint: address points to the zero page.
    #0 0x18d832e in std::_Hashtable<wasm::Expression*, std::pair<wasm::Expression* const, wasm::Function::DebugLocation>, std::allocator<std::pair<wasm::Expression* const, wasm::Function::DebugLocation> >, std::__detail::_Select1st, std::equal_to<wasm::Expression*>, std::hash<wasm::Expression*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_bucket_index(wasm::Expression* const&, unsigned long) const /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/hashtable.h:631:60
    #1 0x18d832e in std::__detail::_Map_base<wasm::Expression*, std::pair<wasm::Expression* const, wasm::Function::DebugLocation>, std::allocator<std::pair<wasm::Expression* const, wasm::Function::DebugLocation> >, std::__detail::_Select1st, std::equal_to<wasm::Expression*>, std::hash<wasm::Expression*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true>, true>::operator[](wasm::Expression* const&) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/hashtable_policy.h:720
    #2 0x18d832e in std::unordered_map<wasm::Expression*, wasm::Function::DebugLocation, std::hash<wasm::Expression*>, std::equal_to<wasm::Expression*>, std::allocator<std::pair<wasm::Expression* const, wasm::Function::DebugLocation> > >::operator[](wasm::Expression* const&) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unordered_map.h:976
    #3 0x18d832e in wasm::SExpressionWasmBuilder::parseExpression(wasm::Element&) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-s-parser.cpp:660
    #4 0x18bf60f in wasm::SExpressionWasmBuilder::parseExpression(wasm::Element*) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm-s-parser.h:160:12
    #5 0x18bf60f in wasm::SExpressionWasmBuilder::parseGlobal(wasm::Element&, bool) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-s-parser.cpp:1712
    #6 0x18a2716 in wasm::SExpressionWasmBuilder::parseModuleElement(wasm::Element&) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-s-parser.cpp:325:28
    #7 0x18960ee in wasm::SExpressionWasmBuilder::SExpressionWasmBuilder(wasm::Module&, wasm::Element&, wasm::Name*) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-s-parser.cpp:292:5
    #8 0x64b56f in std::unique_ptr<wasm::SExpressionWasmBuilder, std::default_delete<wasm::SExpressionWasmBuilder> > wasm::make_unique<wasm::SExpressionWasmBuilder, wasm::Module&, wasm::Element&>(wasm::Module&, wasm::Element&) /home/wencheng/Documents/FuzzingObject/binaryen/src/support/utilities.h:58:35
    #9 0x64b56f in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm2js.cpp:91
    #10 0x7f6f8df5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x50ccb8 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm2js+0x50ccb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/hashtable.h:631:60 in std::_Hashtable<wasm::Expression*, std::pair<wasm::Expression* const, wasm::Function::DebugLocation>, std::allocator<std::pair<wasm::Expression* const, wasm::Function::DebugLocation> >, std::__detail::_Select1st, std::equal_to<wasm::Expression*>, std::hash<wasm::Expression*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_bucket_index(wasm::Expression* const&, unsigned long) const
==7649==ABORTING
kripken added a commit that referenced this issue Jan 15, 2019
@kripken
ignore debug locations when not in a function ; fixes #1867
802d15a
@kripken kripken mentioned this issue Jan 15, 2019
Merged
@kripken
Copy link
Member

kripken commented Jan 15, 2019

Thanks! Fix in #1869.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kripken @wcventure