Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer Deference in WasmBinaryBuilder::getFunctionIndexName(unsigned int) in wasm/wasm-binary.cpp #1879

Closed
wcventure opened this issue Jan 20, 2019 · 2 comments

Comments

@wcventure
Copy link

Hi, there.

A Null pointer Deference problem was discovered in WasmBinaryBuilder::getFunctionIndexName(unsigned int) in wasm/wasm-binary.cpp. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "wasm-opt $POC" to reproduce the problem.
POC.zip

git log

commit 0e5e55053c171b138a0cf5aa8a08de8c7714048f
Author: Alon Zakai <alonzakai@gmail.com>
Date:   Sat Jan 19 05:30:43 2019 -0800

    Show a proper error on an invalid type in binary reading ; fixes #1872 (#1874)

The ASAN dumps the stack trace as follows:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==14886==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000009ace8e bp 0x7ffccfd53b70 sp 0x7ffccfd539a0 T0)
==14886==The signal is caused by a READ memory access.
==14886==Hint: address points to the zero page.
    #0 0x9ace8d in wasm::WasmBinaryBuilder::getFunctionIndexName(unsigned int) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:970:10
    #1 0x9ace8d in wasm::WasmBinaryBuilder::processFunctions() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:1508
    #2 0x980f41 in wasm::WasmBinaryBuilder::read() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:706:3
    #3 0xa81ed9 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:52:10
    #4 0xa84b1c in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:71:5
    #5 0x627919 in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm-opt.cpp:144:14
    #6 0x7fac33df582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x51c5b8 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm-opt+0x51c5b8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:970:10 in wasm::WasmBinaryBuilder::getFunctionIndexName(unsigned int)
==14886==ABORTING
@wcventure
Copy link
Author

Can be broken again.
POC.zip

git log

commit e63c4a7d04c145dafaf4b09de5f9f5de69cee8ef (HEAD -> master, origin/master, origin/HEAD)
Author: Alon Zakai <alonzakai@gmail.com>
Date:   Tue Jan 22 17:15:37 2019 -0800

    More misc ASAN fixes (#1882)

    * fix buffer overflow in simple_ast.h printing.
    * check wasm binary format reading of function export indexes for errors.
    * check if s-expr format imports have a non-empty module and base.

    Fixes #1876
    Fixes #1877
    Fixes #1879
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4544==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000a81aa3 bp 0x7ffed8a90870 sp 0x7ffed8a90000 T0)
==4544==The signal is caused by a READ memory access.
==4544==Hint: address points to the zero page.
    #0 0xa81aa2 in AddressIsPoisoned /home/hjwang/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_mapping.h:343
    #1 0xa81aa2 in QuickCheckForUnpoisonedRegion /home/hjwang/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.h:32
    #2 0xa81aa2 in __asan_memcpy /home/hjwang/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23
    #3 0xe09f05 in wasm::WasmBinaryBuilder::getFunctionIndexName(unsigned int) /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-binary.cpp:970:10
    #4 0xdfed24 in wasm::WasmBinaryBuilder::processFunctions() /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-binary.cpp:1534:45
    #5 0xdea7a4 in wasm::WasmBinaryBuilder::read() /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-binary.cpp:706:3
    #6 0xf39472 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-io.cpp:52:10
    #7 0xf3a2f0 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-io.cpp:71:5
    #8 0xac966c in main /home/hjwang/Documents/Experiment/binaryen/src/tools/wasm-opt.cpp:144:14
    #9 0x7f7b87f69b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x9c2fe9 in _start (/home/hjwang/Documents/Experiment/binaryen/build/bin/wasm-opt+0x9c2fe9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hjwang/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_mapping.h:343 in AddressIsPoisoned

@kripken
Copy link
Member

kripken commented Jan 24, 2019

I think those are fixed with #1887

kripken added a commit that referenced this issue Jan 24, 2019
fixes bug reported in comment on e63c4a7 , #1885 (comment) , #1879 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants