A Heap-buffer-overflow problem was discovered in WasmBinaryBuilder::getFunctionIndexName(unsigned int). A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "./wasm-opt $POC" to reproduce the error. POC.zip
git log:
commit 0e5e55053c171b138a0cf5aa8a08de8c7714048f
Author: Alon Zakai <alonzakai@gmail.com>
Date: Sat Jan 19 05:30:43 2019 -0800
Show a proper error on an invalid type in binary reading ; fixes #1872 (#1874)
The ASAN dumps the stack trace as follows:
=================================================================
==26011==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000032a0 at pc 0x0000009ae654 bp 0x7ffd831fce90 sp 0x7ffd831fce88
READ of size 8 at 0x6060000032a0 thread T0
#0 0x9ae653 in wasm::WasmBinaryBuilder::getFunctionIndexName(unsigned int) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:147:42
#1 0x9ae653 in wasm::WasmBinaryBuilder::processFunctions() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:1508
#2 0x980f41 in wasm::WasmBinaryBuilder::read() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:706:3
#3 0xa81ed9 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:52:10
#4 0xa84b1c in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:71:5
#5 0x627919 in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm-opt.cpp:144:14
#6 0x7ff28f63182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x51c5b8 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm-opt+0x51c5b8)
Address 0x6060000032a0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:147:42 in wasm::WasmBinaryBuilder::getFunctionIndexName(unsigned int)
Shadow bytes around the buggy address:
0x0c0c7fff8600: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff8610: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c0c7fff8620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff8650: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff86a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26011==ABORTING
The text was updated successfully, but these errors were encountered:
Hi, there.
A Heap-buffer-overflow problem was discovered in WasmBinaryBuilder::getFunctionIndexName(unsigned int). A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "./wasm-opt $POC" to reproduce the error.
POC.zip
git log:
The ASAN dumps the stack trace as follows:
The text was updated successfully, but these errors were encountered: