Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault in wabt::cat_compute_size #1938

Open
Q1IQ opened this issue Jun 24, 2022 · 1 comment
Open

Segmentation fault in wabt::cat_compute_size #1938

Q1IQ opened this issue Jun 24, 2022 · 1 comment
Labels
sanitizer failures errors found my sanitizers/fuzzers

Comments

@Q1IQ
Copy link

Q1IQ commented Jun 24, 2022

Environment

OS      : Linux ubuntu 5.13.0-51-generic #58~20.04.1-Ubuntu SMP Tue Jun 14 11:29:12 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : 57e6a58bfdd0babfd6f7fe401c9f2d8238ec3213
Version : 1.0.29

Proof of concept

poc.wasm.zip

Stack dump

./wasm-decompile --enable-all ./poc.wasm

pwndbg> r  --enable-all ./poc.wasm
Starting program: ./wasm-decompile --enable-all ./poc.wasm

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f50234 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator std::basic_string_view<char, std::char_traits<char> >() const () from /lib/x86_64-linux-gnu/libstdc++.so.6
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────
 RAX  0x4
 RBX  0x6323e0 (__libc_csu_init) ◂— endbr64 
 RCX  0x7fffffffbc98 ◂— 0x4
 RDX  0x63b2a7 ◂— 0x6c652000207b2029 /* ') { ' */
 RDI  0x0
 RSI  0x63b1b1 ◂— 0x7274705f007d20 /* ' }' */
 R8   0x63b1b1 ◂— 0x7274705f007d20 /* ' }' */
 R9   0x63b1b1 ◂— 0x7274705f007d20 /* ' }' */
 R10  0x7fffffffc7a0 —▸ 0x7fffffffc7b0 —▸ 0x7fffffffc700 —▸ 0x7fffffffc720 —▸ 0x7fffffffc750 ◂— ...
 R11  0x7fffffffceb8 ◂— 0x0
 R12  0x54fef0 (_start) ◂— endbr64 
 R13  0x7fffffffdec0 ◂— 0x3
 R14  0x0
 R15  0x0
 RBP  0x7fffffffbc80 —▸ 0x7fffffffbcc0 —▸ 0x7fffffffbd10 —▸ 0x7fffffffbd60 —▸ 0x7fffffffbdc0 ◂— ...
 RSP  0x7fffffffbc48 —▸ 0x5befc9 ◂— mov    qword ptr [rbp - 0x20], rax
 RIP  0x7ffff7f50234 ◂— mov    rdx, qword ptr [rdi]
───────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────
 ► 0x7ffff7f50234    mov    rdx, qword ptr [rdi]
   0x7ffff7f50237    mov    rax, qword ptr [rdi + 8]
   0x7ffff7f5023b    ret    
 
   0x7ffff7f5023c    nop    dword ptr [rax]
   0x7ffff7f50240    endbr64 
   0x7ffff7f50244    mov    rax, qword ptr [rdi]
   0x7ffff7f50247    ret    
 
   0x7ffff7f50248    nop    dword ptr [rax + rax]
   0x7ffff7f50250    endbr64 
   0x7ffff7f50254    push   r12
   0x7ffff7f50256    shl    rsi, 2
───────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffbc48 —▸ 0x5befc9 ◂— mov    qword ptr [rbp - 0x20], rax
01:0008│     0x7fffffffbc50 —▸ 0x7fffffffbc80 —▸ 0x7fffffffbcc0 —▸ 0x7fffffffbd10 —▸ 0x7fffffffbd60 ◂— ...
02:0010│     0x7fffffffbc58 —▸ 0x5514f1 ◂— mov    rcx, qword ptr [rbp - 0x18]
03:0018│     0x7fffffffbc60 —▸ 0x719fb0 —▸ 0x71a000 —▸ 0x71a130 —▸ 0x71a0d0 ◂— ...
04:0020│     0x7fffffffbc68 —▸ 0x7fffffffbc98 ◂— 0x4
05:0028│     0x7fffffffbc70 —▸ 0x63b1b1 ◂— 0x7274705f007d20 /* ' }' */
06:0030│     0x7fffffffbc78 ◂— 0x0
07:0038│ rbp 0x7fffffffbc80 —▸ 0x7fffffffbcc0 —▸ 0x7fffffffbd10 —▸ 0x7fffffffbd60 —▸ 0x7fffffffbdc0 ◂— ...
─────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────
 ► f 0   0x7ffff7f50234
   f 1         0x5befc9
   f 2         0x5bef9b
   f 3         0x5bef47
   f 4         0x5bee9b
   f 5         0x5ba4e0
   f 6         0x5a9325
   f 7         0x5a4b56 wabt::Decompiler::Decompile[abi:cxx11]()+3622
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff7f50234 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator std::basic_string_view<char, std::char_traits<char> >() const () from /lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x00000000005befc9 in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#2  0x00000000005bef9b in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#3  0x00000000005bef47 in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#4  0x00000000005bee9b in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#5  0x00000000005ba4e0 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > wabt::cat<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const (&) [3]) ()
#6  0x00000000005a9325 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) ()
#7  0x00000000005a4b56 in wabt::Decompiler::Decompile[abi:cxx11]() ()
#8  0x00000000005a33b5 in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) ()
#9  0x0000000000550432 in ProgramMain(int, char**) ()
#10 0x0000000000550752 in main ()
#11 0x00007ffff7a92083 in __libc_start_main (main=0x550730 <main>, argc=3, argv=0x7fffffffdec8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdeb8) at ../csu/libc-start.c:308
#12 0x000000000054ff1e in _start ()

Credit

P1umer(@P1umer) Q1IQ(@Q1IQ)

@keithw keithw added the sanitizer failures errors found my sanitizers/fuzzers label Sep 18, 2022
@rathann
Copy link
Contributor

rathann commented Mar 17, 2023

This is CVE-2023-27115 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
sanitizer failures errors found my sanitizers/fuzzers
Projects
None yet
Development

No branches or pull requests

3 participants