Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A Heap-buffer-overflow problem was discovered in cashew::JSPrinter::printAst() function in simple_ast.h #1876

Closed
wcventure opened this issue Jan 19, 2019 · 0 comments

Comments

@wcventure
Copy link

Hi, there.

A Heap-buffer-overflow problem was discovered in cashew::JSPrinter::printAst() function in simple_ast.h in emscripten-optimizer, as distributed in Binaryen 1.38.22. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./wasm2js $POC" to reproduce the error.
POC.zip

git log:

commit 777d33d40ff030f1711c40bf3cd5bc4bc36af313
Author: Alon Zakai <alonzakai@gmail.com>
Date:   Wed Jan 16 13:22:39 2019 -0800

    Emscripten stack simplification (#1870)

    This takes advantage of the recent memory simplification in emscripten, where JS static allocation is done at compile time. That means we know the stack's initial location at compile time, and can apply it. This is the binaryen side of that:

    * asm2wasm support for asm.js globals with an initial value var X = Y; where Y is not 0 (which is what the stack now is).
    * wasm-emscripten-finalize support for a flag --initial-stack-pointer=X, and remove the old code to import the stack's initial location.

The ASAN dumps the stack trace as follows:

=================================================================
==13429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000009ac at pc 0x000000654a5f bp 0x7ffc53b185d0 sp 0x7ffc53b185c8
WRITE of size 1 at 0x61d0000009ac thread T0
    #0 0x654a5e in cashew::JSPrinter::printAst() /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:564:18
    #1 0x654a5e in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm2js.cpp:119
    #2 0x7f284ecc582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x5116f8 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm2js+0x5116f8)

0x61d0000009ac is located 0 bytes to the right of 2348-byte region [0x61d000000080,0x61d0000009ac)
allocated by thread T0 here:
    #0 0x5d1aa0 in realloc /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
    #1 0x701b53 in cashew::JSPrinter::ensure(int) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:581:26
    #2 0x6ff826 in cashew::JSPrinter::print(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:645:5
    #3 0x718964 in cashew::JSPrinter::printVar(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:1195:9
    #4 0x6fff70 in cashew::JSPrinter::print(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:734:26
    #5 0x71db30 in cashew::JSPrinter::printStats(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:764:9
    #6 0x709a15 in cashew::JSPrinter::printDefun(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:810:5
    #7 0x700ea3 in cashew::JSPrinter::print(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:684:28
    #8 0x71db30 in cashew::JSPrinter::printStats(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:764:9
    #9 0x700e2e in cashew::JSPrinter::printToplevel(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:774:7
    #10 0x700e2e in cashew::JSPrinter::print(cashew::Ref) /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:723
    #11 0x65363f in cashew::JSPrinter::printAst() /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:563:5
    #12 0x65363f in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm2js.cpp:119
    #13 0x7f284ecc582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/simple_ast.h:564:18 in cashew::JSPrinter::printAst()
Shadow bytes around the buggy address:
  0x0c3a7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff8130: 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13429==ABORTING
kripken added a commit that referenced this issue Jan 19, 2019
kripken added a commit that referenced this issue Jan 23, 2019
* fix buffer overflow in simple_ast.h printing.
* check wasm binary format reading of function export indexes for errors.
* check if s-expr format imports have a non-empty module and base.

Fixes #1876
Fixes #1877
Fixes #1879
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant