Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A abort failure in wasm::Builder::makeFunction #4413

Closed
ZFeiXQ opened this issue Dec 25, 2021 · 2 comments
Closed

A abort failure in wasm::Builder::makeFunction #4413

ZFeiXQ opened this issue Dec 25, 2021 · 2 comments

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 25, 2021

Version:

version_104

command:

 wasm-dis POC8

POC8.zip

Result

Aborted.

bt

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffff4416040 (0x00007ffff4416040)
RCX: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffffb890 --> 0x0 
RDI: 0x2 
RBP: 0x7ffff45d5588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
RSP: 0x7fffffffb890 --> 0x0 
RIP: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffffffb890 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7ffff799dc40 ("/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h")
R13: 0x31 ('1')
R14: 0x7ffff799dc00 ("type.isSignature()")
R15: 0xfffff700 --> 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff446017f <__GI_raise+191>:	mov    edi,0x2
   0x7ffff4460184 <__GI_raise+196>:	mov    eax,0xe
   0x7ffff4460189 <__GI_raise+201>:	syscall 
=> 0x7ffff446018b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff4460193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
   0x7ffff446019c <__GI_raise+220>:	jne    0x7ffff44601c4 <__GI_raise+260>
   0x7ffff446019e <__GI_raise+222>:	mov    eax,r8d
   0x7ffff44601a1 <__GI_raise+225>:	add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb890 --> 0x0 
0008| 0x7fffffffb898 --> 0x49bba0 (<free>:	push   rbp)
0016| 0x7fffffffb8a0 --> 0x7ffffbad8000 
0024| 0x7fffffffb8a8 --> 0x6120000001c0 --> 0x7369642d69000001 
0032| 0x7fffffffb8b0 --> 0x612000000225 ("on> wasm::Builder::makeFunction(wasm::Name, wasm::HeapType, std::vector<Type> &&, wasm::Expression *): Assertion `type.isSignature()' failed.\n")
0040| 0x7fffffffb8b8 --> 0x6120000001c0 --> 0x7369642d69000001 
0048| 0x7fffffffb8c0 --> 0x6120000001c0 --> 0x7369642d69000001 
0056| 0x7fffffffb8c8 --> 0x6120000002b3 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff443f859 in __GI_abort () at abort.c:79
#2  0x00007ffff443f729 in __assert_fail_base (fmt=0x7ffff45d5588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff799dc00 <str> "type.isSignature()", 
    file=0x7ffff799dc40 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h", line=0x31, function=<optimized out>) at assert.c:92
#3  0x00007ffff4450f36 in __GI___assert_fail (assertion=0x7ffff799dc00 <str> "type.isSignature()", file=0x7ffff799dc40 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h", line=0x31, 
    function=0x7ffff799dca0 <__PRETTY_FUNCTION__._ZN4wasm7Builder12makeFunctionENS_4NameENS_8HeapTypeEOSt6vectorINS_4TypeESaIS4_EEPNS_10ExpressionE> "static std::unique_ptr<Function> wasm::Builder::makeFunction(wasm::Name, wasm::HeapType, std::vector<Type> &&, wasm::Expression *)") at assert.c:101
#4  0x00007ffff51417c4 in wasm::Builder::makeFunction (name=..., type=..., vars=..., body=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h:49
#5  0x00007ffff6ea172f in wasm::WasmBinaryBuilder::readImports (this=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:2059
#6  0x00007ffff6e9967e in wasm::WasmBinaryBuilder::read (this=0x7fffffffcce0) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:1417
#7  0x00007ffff7046785 in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename=<incomplete type>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:63
#8  0x00007ffff7046f76 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=<incomplete type>, wasm=..., sourceMapFilename=<incomplete type>)
    at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:74
#9  0x00000000004cf7ca in main (argc=<optimized out>, argv=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/tools/wasm-dis.cpp:65
#10 0x00007ffff44410b3 in __libc_start_main (main=0x4cdef0 <main(int, char const**)>, argc=0x2, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe338) at ../csu/libc-start.c:308
#11 0x000000000042375e in _start () at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/iostream:74
@aheejin
Copy link
Member

aheejin commented Dec 28, 2021

Can you elaborate on how you create POC8? It looks like an invalid wasm file.

@aheejin
Copy link
Member

aheejin commented Dec 30, 2021

Will close this for now. (Context: #4410 (comment))

@aheejin aheejin closed this as completed Jan 5, 2022
kripken added a commit that referenced this issue Jan 5, 2022
Without this we hit an assertion later, which is less clear.

See #4413
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants