Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid memory address dereference in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) #4384

Closed
ZFeiXQ opened this issue Dec 10, 2021 · 0 comments · Fixed by #4388
Closed

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 10, 2021

Version:

version_103

System information
Ubuntu 20.04.1 LTS, clang version 10.0.0-4ubuntu1

command:

./wasm-dis  POC2

POC2.zip

Result

[28]    3932046 segmentation fault  ./wasm-dis 

GDB information


Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x2 
RBX: 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
RCX: 0x0 
RDX: 0x0 
RSI: 0xffffffff 
RDI: 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
RBP: 0x7fffffffcf40 --> 0x7fffffffd030 --> 0x7fffffffd0a0 --> 0x7fffffffd100 --> 0x7fffffffd1e0 --> 0x7fffffffd370 (--> ...)
RSP: 0x7fffffffce90 --> 0x8 
RIP: 0x7ffff7c1203c (<_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+76>:	mov    rax,QWORD PTR [rdx+0x38])
R8 : 0x0 
R9 : 0x0 
R10: 0x7ffff74d633d ("_ZN4wasm17WasmBinaryBuilder16startControlFlowEPNS_10ExpressionE")
R11: 0x7ffff7be2080 (<_ZN4wasm17WasmBinaryBuilder16startControlFlowEPNS_10ExpressionE>:	endbr64)
R12: 0x17 
R13: 0x55555559ec68 --> 0x1 
R14: 0x7fffffffcf80 --> 0x7fffffffd038 --> 0x7ffff7c0ba5e (<_ZN4wasm17WasmBinaryBuilder18processExpressionsEv+110>:	mov    rsi,QWORD PTR [rbp-0x60])
R15: 0x1
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7c1202e <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+62>:	mov    rdx,QWORD PTR [rbx+0x148]
   0x7ffff7c12035 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+69>:	mov    rdi,rbx
   0x7ffff7c12038 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+72>:	mov    QWORD PTR [r13+0x8],rax
=> 0x7ffff7c1203c <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+76>:	mov    rax,QWORD PTR [rdx+0x38]
   0x7ffff7c12040 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+80>:	sub    rax,QWORD PTR [rdx+0x30]
   0x7ffff7c12044 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+84>:	sar    rax,0x3
   0x7ffff7c12048 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+88>:	mov    r15,rax
   0x7ffff7c1204b <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+91>:	mov    QWORD PTR [rbp-0x88],rax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffce90 --> 0x8 
0008| 0x7fffffffce98 --> 0x7fffffffcf10 --> 0x7fffffffcf80 --> 0x7fffffffd038 --> 0x7ffff7c0ba5e (<_ZN4wasm17WasmBinaryBuilder18processExpressionsEv+110>:	mov    rsi,QWORD PTR [rbp-0x60])
0016| 0x7fffffffcea0 --> 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
0024| 0x7fffffffcea8 --> 0x659c1cad59c48400 
0032| 0x7fffffffceb0 --> 0x7fffffffd6c0 --> 0x55555558a7c0 --> 0x55555559ec50 --> 0xa ('\n')
0040| 0x7fffffffceb8 --> 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
0048| 0x7fffffffcec0 --> 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
0056| 0x7fffffffcec8 --> 0x7ffff76384e1 (<_ZN10MixedArena10allocSpaceEmm+65>:	mov    rbx,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
gdb-peda$ bt
#0  0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#1  0x00007ffff7c0a742 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#2  0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#3  0x00007ffff7c0bd06 in wasm::WasmBinaryBuilder::readExpression() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#4  0x00007ffff7c0bec4 in wasm::WasmBinaryBuilder::readGlobals() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#5  0x00007ffff7c117d0 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#6  0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
   from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#7  0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#8  0x000055555555966c in main ()
#9  0x00007ffff6ec50b3 in __libc_start_main (main=0x555555558d40 <main>, argc=0x2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238)
    at ../csu/libc-start.c:308
#10 0x0000555555559d4e in _start ()
gdb-peda$ bt
#0  0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#1  0x00007ffff7c0a742 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#2  0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#3  0x00007ffff7c0bd06 in wasm::WasmBinaryBuilder::readExpression() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#4  0x00007ffff7c0bec4 in wasm::WasmBinaryBuilder::readGlobals() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#5  0x00007ffff7c117d0 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#6  0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
   from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#7  0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#8  0x000055555555966c in main ()
#9  0x00007ffff6ec50b3 in __libc_start_main (main=0x555555558d40 <main>, argc=0x2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238)
    at ../csu/libc-start.c:308
#10 0x0000555555559d4e in _start ()
gdb-peda$ 
#0  0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#1  0x00007ffff7c0a742 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#2  0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#3  0x00007ffff7c0bd06 in wasm::WasmBinaryBuilder::readExpression() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#4  0x00007ffff7c0bec4 in wasm::WasmBinaryBuilder::readGlobals() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#5  0x00007ffff7c117d0 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#6  0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
   from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#7  0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#8  0x000055555555966c in main ()
#9  0x00007ffff6ec50b3 in __libc_start_main (main=0x555555558d40 <main>, argc=0x2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238)
    at ../csu/libc-start.c:308
#10 0x0000555555559d4e in _start ()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant