Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An assertion abort in wasm::handle_unreachable(char const*, char const*, unsigned int) () #4383

Closed
ZFeiXQ opened this issue Dec 10, 2021 · 0 comments · Fixed by #4389
Closed

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 10, 2021

Version:

version_103

System information
Ubuntu 20.04.1 LTS, clang version 10.0.0-4ubuntu1

command:

./wasm-opt POC1

POC1.zip

Result

 2492902 abort

GDB information


Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffff6d4afc0 (0x00007ffff6d4afc0)
RCX: 0x7ffff6d9518b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffffb640 --> 0x0 
RDI: 0x2 
RBP: 0x7fffffffb8b0 --> 0x7fffffffb8c0 --> 0x7fffffffb8e0 --> 0x7fffffffb930 --> 0x7fffffffb9a0 --> 0x7fffffffb9d0 (--> ...)
RSP: 0x7fffffffb640 --> 0x0 
RIP: 0x7ffff6d9518b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffffffb640 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7ffff72ad360 --> 0x7ffff72a73d0 --> 0x7ffff7200400 (<_ZNSoD1Ev>:	endbr64)
R13: 0x7ffff72ad360 --> 0x7ffff72a73d0 --> 0x7ffff7200400 (<_ZNSoD1Ev>:	endbr64)
R14: 0x7fffffffccc0 --> 0x555555666f40 --> 0x0 
R15: 0x555555656610 ("label$28")
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff6d9517f <__GI_raise+191>:	mov    edi,0x2
   0x7ffff6d95184 <__GI_raise+196>:	mov    eax,0xe
   0x7ffff6d95189 <__GI_raise+201>:	syscall 
=> 0x7ffff6d9518b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff6d95193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
   0x7ffff6d9519c <__GI_raise+220>:	jne    0x7ffff6d951c4 <__GI_raise+260>
   0x7ffff6d9519e <__GI_raise+222>:	mov    eax,r8d
   0x7ffff6d951a1 <__GI_raise+225>:	add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb640 --> 0x0 
0008| 0x7fffffffb648 --> 0x7fffffffca00 --> 0x7fffffffd160 --> 0x0 
0016| 0x7fffffffb650 --> 0x7fffffffca00 --> 0x7fffffffd160 --> 0x0 
0024| 0x7fffffffb658 --> 0x7fffffffca00 --> 0x7fffffffd160 --> 0x0 
0032| 0x7fffffffb660 --> 0x0 
0040| 0x7fffffffb668 --> 0x55555568bdc0 ("label$53")
0048| 0x7fffffffb670 --> 0x7fffffffb6f0 --> 0xffffffffffffffff 
0056| 0x7fffffffb678 --> 0x7ffff7be8775 (<_ZN4wasm17WasmBinaryBuilder13popExpressionEv+85>:	test   al,al)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff6d74859 in __GI_abort () at abort.c:79
#2  0x00007ffff7d3ee48 in wasm::handle_unreachable(char const*, char const*, unsigned int) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#3  0x00007ffff7c84557 in wasm::Type::getHeapType() const () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#4  0x00007ffff7bd6a9c in wasm::BrOn::getSentType() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#5  0x00007ffff789c965 in wasm::BranchUtils::operateOnScopeNameUsesAndSentTypes<wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1}>(wasm::Expression*, wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1})::{lambda(wasm::Name&)#1}::operator()(wasm::Name&) const ()
   from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#6  0x00007ffff789ca9d in void wasm::BranchUtils::operateOnScopeNameUses<wasm::BranchUtils::operateOnScopeNameUsesAndSentTypes<wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1}>(wasm::Expression*, wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1})::{lambda(wasm::Name&)#1}>(wasm::Expression*, wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1}) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#7  0x00007ffff789d22c in wasm::Walker<wasm::BranchUtils::BranchSeeker, wasm::UnifiedExpressionVisitor<wasm::BranchUtils::BranchSeeker, void> >::doVisitBrOn(wasm::BranchUtils::BranchSeeker*, wasm::Expression**) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#8  0x00007ffff7a01ef1 in wasm::BranchUtils::BranchSeeker::has(wasm::Expression*, wasm::Name) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#9  0x00007ffff7bd974f in wasm::handleUnreachable(wasm::Block*, wasm::Block::Breakability) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#10 0x00007ffff7c0f923 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#11 0x00007ffff7c11f0d in wasm::WasmBinaryBuilder::visitIf(wasm::If*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#12 0x00007ffff7c0acb2 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#13 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#14 0x00007ffff7c0f840 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#15 0x00007ffff7c11fcd in wasm::WasmBinaryBuilder::visitIf(wasm::If*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#16 0x00007ffff7c0acb2 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#17 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#18 0x00007ffff7c0f840 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#19 0x00007ffff7c11f0d in wasm::WasmBinaryBuilder::visitIf(wasm::If*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#20 0x00007ffff7c0acb2 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#21 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#22 0x00007ffff7c0f840 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#23 0x00007ffff7c11f0d in wasm::WasmBinaryBuilder::visitIf(wasm::If*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#24 0x00007ffff7c0acb2 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#25 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#26 0x00007ffff7c0f012 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#27 0x00007ffff7c0b29e in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#28 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#29 0x00007ffff7c0f840 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#30 0x00007ffff7c1026b in wasm::WasmBinaryBuilder::readFunctions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#31 0x00007ffff7c11802 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#32 0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
   from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#33 0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#34 0x00007ffff7c3e641 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#35 0x000055555557e5bb in main ()
#36 0x00007ffff6d760b3 in __libc_start_main (main=0x55555557cb40 <main>, argc=0x2, argv=0x7fffffffe258, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe248)
    at ../csu/libc-start.c:308
#37 0x000055555557f97e in _start ()
kripken added a commit that referenced this issue Dec 16, 2021
If that type is not valid then we cannot even create and finalize the node,
which means we'd hit an assertion inside finalize(), before we reach the
validator.

Fixes #4383
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant