Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A stack-overflow in printf_common() #4391

Open
ZFeiXQ opened this issue Dec 14, 2021 · 1 comment
Open

A stack-overflow in printf_common() #4391

ZFeiXQ opened this issue Dec 14, 2021 · 1 comment

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 14, 2021

Version:

version_103

System information

command:

./bin/wasm-ctor-eval POC4

POC4.zip

Result

1887835 segmentation fault  ./bin/wasm-ctor-eval 

GDB information

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xfbad8001 
RBX: 0x0 
RCX: 0x0 
RDX: 0x7fffff7ff490 --> 0x3000000020 (' ')
RSI: 0x7ffff7df5092 --> 0x6d73617700756c25 ('%lu')
RDI: 0x7fffff7ff2e0 --> 0x7ffffbad8001 
RBP: 0x7fffff7ff2c0 --> 0x7fffff7ff460 --> 0x0 
RSP: 0x7fffff7fed50 
RIP: 0x7ffff6f16a01 (<__vfprintf_internal+33>:	mov    DWORD PTR [rbp-0x4c0],ecx)
R8 : 0x0 
R9 : 0x7fffff7ff3d0 --> 0x0 
R10: 0x7ffff6f2c180 (<___vsnprintf>:	endbr64)
R11: 0x7ffff7088be0 --> 0x555555800a40 --> 0x6201f248 
R12: 0x7fffff7ff2e0 --> 0x7ffffbad8001 
R13: 0x7ffff7df5092 --> 0x6d73617700756c25 ('%lu')
R14: 0x7fffff7ff490 --> 0x3000000020 (' ')
R15: 0x7fffff7ff490 --> 0x3000000020 (' ')
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff6f169f6 <__vfprintf_internal+22>:	mov    r12,rdi
   0x7ffff6f169f9 <__vfprintf_internal+25>:	push   rbx
   0x7ffff6f169fa <__vfprintf_internal+26>:	sub    rsp,0x548
=> 0x7ffff6f16a01 <__vfprintf_internal+33>:	mov    DWORD PTR [rbp-0x4c0],ecx
   0x7ffff6f16a07 <__vfprintf_internal+39>:	mov    rax,QWORD PTR fs:0x28
   0x7ffff6f16a10 <__vfprintf_internal+48>:	mov    QWORD PTR [rbp-0x38],rax
   0x7ffff6f16a14 <__vfprintf_internal+52>:	xor    eax,eax
   0x7ffff6f16a16 <__vfprintf_internal+54>:	mov    rax,QWORD PTR [rip+0x171453]        # 0x7ffff7087e70
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fed50
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff6f16a01 in __vfprintf_internal (s=s@entry=0x7fffff7ff2e0, format=format@entry=0x7ffff7df5092 "%lu", ap=ap@entry=0x7fffff7ff490, mode_flags=mode_flags@entry=0x0) at vfprintf-internal.c:1289
1289	vfprintf-internal.c: No such file or directory.

gdb-peda$ bt 20
#0  0x00007ffff6f16a01 in __vfprintf_internal (s=s@entry=0x7fffff7ff2e0, format=format@entry=0x7ffff7df5092 "%lu", ap=ap@entry=0x7fffff7ff490, mode_flags=mode_flags@entry=0x0) at vfprintf-internal.c:1289
#1  0x00007ffff6f2c11a in __vsnprintf_internal (string=0x7fffff7ff460 "", maxlen=<optimized out>, format=0x7ffff7df5092 "%lu", args=0x7fffff7ff490, mode_flags=0x0) at vsnprintf.c:114
#2  0x000055555557737f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > __gnu_cxx::__to_xstring<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char>(int (*)(char*, unsigned long, char const*, __va_list_tag*), unsigned long, char const*, ...) ()
#3  0x00007ffff7c00030 in wasm::WasmBinaryBuilder::getNextLabel() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#4  0x00007ffff7c0eeef in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#5  0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#6  0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#7  0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#8  0x00007ffff7c0ef20 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#9  0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#10 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#11 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#12 0x00007ffff7c0ef20 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#13 0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#14 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#15 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#16 0x00007ffff7c0ef20 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#17 0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#18 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#19 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
(More stack frames follow...)
gdb-peda$ 

@kripken
Copy link
Member

kripken commented Dec 14, 2021

This looks like a stack overflow - there are many thousands of nested try-catches, and after 6625 or so it faults. Running in valgrind shows

Stack overflow in thread #1: can't grow stack to 0x1ffe801000

Increasing the stack size leads to a proper error,

[parse exception: attempted pop from empty stack / beyond block start boundary at 18824 (at 0:18824)]

I don't know much about stack overflow mitigations in native builds. Is there anything we should do here?

@ZFeiXQ ZFeiXQ changed the title Invalid memory address dereference in __vfprintf_internal () A stack-overflow in printf_common() Dec 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants