A Null pointer Deference problem was discovered in wasm::Module::getFunctionOrNull(wasm::Name). A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "wasm-opt $POC" to reproduce the problem. POC.zip
git log:
commit 0e5e55053c171b138a0cf5aa8a08de8c7714048f
Author: Alon Zakai <alonzakai@gmail.com>
Date: Sat Jan 19 05:30:43 2019 -0800
Show a proper error on an invalid type in binary reading ; fixes #1872 (#1874)
The ASAN dumps the stack trace as follows:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9622==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005b1a51 bp 0x7ffe832e8c10 sp 0x7ffe832e8380 T0)
==9622==The signal is caused by a READ memory access.
==9622==Hint: address points to the zero page.
#0 0x5b1a50 in __interceptor_strcmp.part.253 /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:414
#1 0x9112ce in cashew::IString::operator<(cashew::IString const&) const /home/wencheng/Documents/FuzzingObject/binaryen/src/emscripten-optimizer/istring.h:123:12
#2 0x9112ce in std::less<wasm::Name>::operator()(wasm::Name const&, wasm::Name const&) const /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_function.h:386
#3 0x9112ce in std::_Rb_tree<wasm::Name, std::pair<wasm::Name const, wasm::Function*>, std::_Select1st<std::pair<wasm::Name const, wasm::Function*> >, std::less<wasm::Name>, std::allocator<std::pair<wasm::Name const, wasm::Function*> > >::_M_lower_bound(std::_Rb_tree_node<std::pair<wasm::Name const, wasm::Function*> >*, std::_Rb_tree_node_base*, wasm::Name const&) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_tree.h:1872
#4 0x9112ce in std::_Rb_tree<wasm::Name, std::pair<wasm::Name const, wasm::Function*>, std::_Select1st<std::pair<wasm::Name const, wasm::Function*> >, std::less<wasm::Name>, std::allocator<std::pair<wasm::Name const, wasm::Function*> > >::find(wasm::Name const&) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_tree.h:2523
#5 0x9112ce in std::map<wasm::Name, wasm::Function*, std::less<wasm::Name>, std::allocator<std::pair<wasm::Name const, wasm::Function*> > >::find(wasm::Name const&) /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_map.h:1164
#6 0x9112ce in wasm::Module::getFunctionOrNull(wasm::Name) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm.cpp:797
#7 0xb8dc27 in wasm::validateExports(wasm::Module&, wasm::ValidationInfo&) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-validator.cpp:1209:32
#8 0xb8dc27 in wasm::WasmValidator::validate(wasm::Module&, wasm::FeatureSet, unsigned int) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-validator.cpp:1298
#9 0x627aba in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm-opt.cpp:158:28
#10 0x7f6ec277982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x51c5b8 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm-opt+0x51c5b8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/wencheng/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:414 in __interceptor_strcmp.part.253
==9622==ABORTING
The text was updated successfully, but these errors were encountered:
Hi, there.
A Null pointer Deference problem was discovered in wasm::Module::getFunctionOrNull(wasm::Name). A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "wasm-opt $POC" to reproduce the problem.
POC.zip
git log:
The ASAN dumps the stack trace as follows:
The text was updated successfully, but these errors were encountered: