Skip to content

A Heap-buffer-overflow problem was discovered in cashew::JSPrinter::printAst() function in simple_ast.h #1876

New issue
New issue
Closed
Closed
A Heap-buffer-overflow problem was discovered in cashew::JSPrinter::printAst() function in simple_ast.h#1876
@wcventure

Description

@wcventure
wcventure
opened on Jan 19, 2019

Hi, there.

A Heap-buffer-overflow problem was discovered in cashew::JSPrinter::printAst() function in simple_ast.h in emscripten-optimizer, as distributed in Binaryen 1.38.22. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./wasm2js $POC" to reproduce the error.
POC.zip

git log:

commit 777d33d40ff030f1711c40bf3cd5bc4bc36af313
Author: Alon Zakai <alonzakai@gmail.com>
Date:   Wed Jan 16 13:22:39 2019 -0800

    Emscripten stack simplification (#1870)

    This takes advantage of the recent memory simplification in emscripten, where JS static allocation is done at compile time. That means we know the stack's initial location at compile time, and can apply it. This is the binaryen side of that:

    * asm2wasm support for asm.js globals with an initial value var X = Y; where Y is not 0 (which is what the stack now is).
    * wasm-emscripten-finalize support for a flag --initial-stack-pointer=X, and remove the old code to import the stack's initial location.

The ASAN dumps the stack trace as follows:

=================================================================
==13429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000009ac at pc 0x000000654a5f bp 0x7ffc53b185d0 sp 0x7ffc53b185c8
WRITE of size 1 at 0x61d0000009ac thread T0
    #0 0x654a5e in cashew::JSPrinter::printAst() /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:564:18
    #1 0x654a5e in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm2js.cpp:119
    #2 0x7f284ecc582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x5116f8 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm2js+0x5116f8)

0x61d0000009ac is located 0 bytes to the right of 2348-byte region [0x61d000000080,0x61d0000009ac)
allocated by thread T0 here:
    #0 0x5d1aa0 in realloc /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
    #1 0x701b53 in cashew::JSPrinter::ensure(int) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:581:26
    #2 0x6ff826 in cashew::JSPrinter::print(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:645:5
    #3 0x718964 in cashew::JSPrinter::printVar(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:1195:9
    #4 0x6fff70 in cashew::JSPrinter::print(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:734:26
    #5 0x71db30 in cashew::JSPrinter::printStats(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:764:9
    #6 0x709a15 in cashew::JSPrinter::printDefun(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:810:5
    #7 0x700ea3 in cashew::JSPrinter::print(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:684:28
    #8 0x71db30 in cashew::JSPrinter::printStats(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:764:9
    #9 0x700e2e in cashew::JSPrinter::printToplevel(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:774:7
    #10 0x700e2e in cashew::JSPrinter::print(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:723
    #11 0x65363f in cashew::JSPrinter::printAst() /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:563:5
    #12 0x65363f in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm2js.cpp:119
    #13 0x7f284ecc582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:564:18 in cashew::JSPrinter::printAst()
Shadow bytes around the buggy address:
  0x0c3a7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff8130: 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13429==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions