/binaryen

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer Deference in wasm::SExpressionWasmBuilder::parseExpression(wasm::Element&) in wasm-s-parser.cpp #1867

Closed
wcventure opened this Issue Jan 13, 2019 · 1 comment

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@wcventure @kripken
@wcventure
Copy link

wcventure commented Jan 13, 2019

Hi, there.

A Null pointer Deference problem was discovered in wasm::SExpressionWasmBuilder::parseExpression(wasm::Element&) in wasm-s-parser.cpp. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "wasm-as $POC" or "wasm2js $POC" to reproduce the problem.
POC.zip

The ASAN dumps the stack trace as follows:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==7649==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d0 (pc 0x0000018d832f bp 0x7fffd64e9650 sp 0x7fffd64e9620 T0)
==7649==The signal is caused by a READ memory access.
==7649==Hint: address points to the zero page.
    #0 0x18d832e in std::_Hashtable<wasm::Expression*, std::pair<wasm::Expression* const, wasm::Function::DebugLocation>, std::allocator<std::pair<wasm::Expression* const, wasm::Function::DebugLocation> >, std::__detail::_Select1st, std::equal_to<wasm::Expression*>, std::hash<wasm::Expression*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_bucket_index(wasm::Expression* const&, unsigned long) const /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/hashtable.h:631:60
    #1 0x18d832e in std::__detail::_Map_base<wasm::Expression*, std::pair<wasm::Expression* const, wasm::Function::DebugLocation>, std::allocator<std::pair<wasm::Expression* const, wasm::Function::DebugLocation> >, std::__detail::_Select1st, std::equal_to<wasm::Expression*>, std::hash<wasm::Expression*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true>, true>::operator[](wasm::Expression* const&) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/hashtable_policy.h:720
    #2 0x18d832e in std::unordered_map<wasm::Expression*, wasm::Function::DebugLocation, std::hash<wasm::Expression*>, std::equal_to<wasm::Expression*>, std::allocator<std::pair<wasm::Expression* const, wasm::Function::DebugLocation> > >::operator[](wasm::Expression* const&) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unordered_map.h:976
    #3 0x18d832e in wasm::SExpressionWasmBuilder::parseExpression(wasm::Element&) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-s-parser.cpp:660
    #4 0x18bf60f in wasm::SExpressionWasmBuilder::parseExpression(wasm::Element*) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm-s-parser.h:160:12
    #5 0x18bf60f in wasm::SExpressionWasmBuilder::parseGlobal(wasm::Element&, bool) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-s-parser.cpp:1712
    #6 0x18a2716 in wasm::SExpressionWasmBuilder::parseModuleElement(wasm::Element&) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-s-parser.cpp:325:28
    #7 0x18960ee in wasm::SExpressionWasmBuilder::SExpressionWasmBuilder(wasm::Module&, wasm::Element&, wasm::Name*) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-s-parser.cpp:292:5
    #8 0x64b56f in std::unique_ptr<wasm::SExpressionWasmBuilder, std::default_delete<wasm::SExpressionWasmBuilder> > wasm::make_unique<wasm::SExpressionWasmBuilder, wasm::Module&, wasm::Element&>(wasm::Module&, wasm::Element&) /home/wencheng/Documents/FuzzingObject/binaryen/src/support/utilities.h:58:35
    #9 0x64b56f in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm2js.cpp:91
    #10 0x7f6f8df5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x50ccb8 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm2js+0x50ccb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/hashtable.h:631:60 in std::_Hashtable<wasm::Expression*, std::pair<wasm::Expression* const, wasm::Function::DebugLocation>, std::allocator<std::pair<wasm::Expression* const, wasm::Function::DebugLocation> >, std::__detail::_Select1st, std::equal_to<wasm::Expression*>, std::hash<wasm::Expression*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_bucket_index(wasm::Expression* const&, unsigned long) const
==7649==ABORTING

kripken added a commit that referenced this issue Jan 15, 2019

@kripken
ignore debug locations when not in a function ; fixes #1867
802d15a

@kripken kripken referenced this issue Jan 15, 2019

Merged

Misc minor ASAN fixes #1869

@kripken

This comment has been minimized.

Sign in to view
Copy link
Member

kripken commented Jan 15, 2019

Thanks! Fix in #1869.

@kripken kripken closed this in cbb24eb Jan 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment