Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version:
version_103
System information
command:
./bin/wasm-ctor-eval POC4
POC4.zip
Result
1887835 segmentation fault ./bin/wasm-ctor-eval
GDB information
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0xfbad8001 RBX: 0x0 RCX: 0x0 RDX: 0x7fffff7ff490 --> 0x3000000020 (' ') RSI: 0x7ffff7df5092 --> 0x6d73617700756c25 ('%lu') RDI: 0x7fffff7ff2e0 --> 0x7ffffbad8001 RBP: 0x7fffff7ff2c0 --> 0x7fffff7ff460 --> 0x0 RSP: 0x7fffff7fed50 RIP: 0x7ffff6f16a01 (<__vfprintf_internal+33>: mov DWORD PTR [rbp-0x4c0],ecx) R8 : 0x0 R9 : 0x7fffff7ff3d0 --> 0x0 R10: 0x7ffff6f2c180 (<___vsnprintf>: endbr64) R11: 0x7ffff7088be0 --> 0x555555800a40 --> 0x6201f248 R12: 0x7fffff7ff2e0 --> 0x7ffffbad8001 R13: 0x7ffff7df5092 --> 0x6d73617700756c25 ('%lu') R14: 0x7fffff7ff490 --> 0x3000000020 (' ') R15: 0x7fffff7ff490 --> 0x3000000020 (' ') EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff6f169f6 <__vfprintf_internal+22>: mov r12,rdi 0x7ffff6f169f9 <__vfprintf_internal+25>: push rbx 0x7ffff6f169fa <__vfprintf_internal+26>: sub rsp,0x548 => 0x7ffff6f16a01 <__vfprintf_internal+33>: mov DWORD PTR [rbp-0x4c0],ecx 0x7ffff6f16a07 <__vfprintf_internal+39>: mov rax,QWORD PTR fs:0x28 0x7ffff6f16a10 <__vfprintf_internal+48>: mov QWORD PTR [rbp-0x38],rax 0x7ffff6f16a14 <__vfprintf_internal+52>: xor eax,eax 0x7ffff6f16a16 <__vfprintf_internal+54>: mov rax,QWORD PTR [rip+0x171453] # 0x7ffff7087e70 [------------------------------------stack-------------------------------------] Invalid $SP address: 0x7fffff7fed50 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00007ffff6f16a01 in __vfprintf_internal (s=s@entry=0x7fffff7ff2e0, format=format@entry=0x7ffff7df5092 "%lu", ap=ap@entry=0x7fffff7ff490, mode_flags=mode_flags@entry=0x0) at vfprintf-internal.c:1289 1289 vfprintf-internal.c: No such file or directory. gdb-peda$ bt 20 #0 0x00007ffff6f16a01 in __vfprintf_internal (s=s@entry=0x7fffff7ff2e0, format=format@entry=0x7ffff7df5092 "%lu", ap=ap@entry=0x7fffff7ff490, mode_flags=mode_flags@entry=0x0) at vfprintf-internal.c:1289 #1 0x00007ffff6f2c11a in __vsnprintf_internal (string=0x7fffff7ff460 "", maxlen=<optimized out>, format=0x7ffff7df5092 "%lu", args=0x7fffff7ff490, mode_flags=0x0) at vsnprintf.c:114 #2 0x000055555557737f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > __gnu_cxx::__to_xstring<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char>(int (*)(char*, unsigned long, char const*, __va_list_tag*), unsigned long, char const*, ...) () #3 0x00007ffff7c00030 in wasm::WasmBinaryBuilder::getNextLabel() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #4 0x00007ffff7c0eeef in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #5 0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #6 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #7 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #8 0x00007ffff7c0ef20 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #9 0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #10 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #11 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #12 0x00007ffff7c0ef20 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #13 0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #14 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #15 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #16 0x00007ffff7c0ef20 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #17 0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #18 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so #19 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so (More stack frames follow...) gdb-peda$
The text was updated successfully, but these errors were encountered:
This looks like a stack overflow - there are many thousands of nested try-catches, and after 6625 or so it faults. Running in valgrind shows
Stack overflow in thread #1: can't grow stack to 0x1ffe801000
Increasing the stack size leads to a proper error,
[parse exception: attempted pop from empty stack / beyond block start boundary at 18824 (at 0:18824)]
I don't know much about stack overflow mitigations in native builds. Is there anything we should do here?
Sorry, something went wrong.
No branches or pull requests
Version:
System information
command:
POC4.zip
Result
GDB information
The text was updated successfully, but these errors were encountered: