Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV in wabt::Decompiler::WrapChild #1990

Open
Q1IQ opened this issue Sep 5, 2022 · 1 comment
Open

SEGV in wabt::Decompiler::WrapChild #1990

Q1IQ opened this issue Sep 5, 2022 · 1 comment
Labels
sanitizer failures errors found my sanitizers/fuzzers

Comments

@Q1IQ
Copy link

Q1IQ commented Sep 5, 2022

Environment

OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : 3054d61f703d609995798f872fc86b462617c294
Version : 1.0.29
Build   : make clang-debug-asan

Proof of concept

poc-3.wasm.zip

Stack dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1814123==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffffe8 (pc 0x7f12f2723bfe bp 0x7ffe034681e0 sp 0x7ffe03467e18 T0)
==1814123==The signal is caused by a READ memory access.
    #0 0x7f12f2723bfe in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::append(char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x144bfe)
    #1 0x609269 in wabt::Decompiler::WrapChild(wabt::Decompiler::Value&, std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:125:18
    #2 0x619663 in wabt::Decompiler::BracketIfNeeded(wabt::Decompiler::Value&, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:143:11
    #3 0x60ce08 in wabt::Decompiler::WrapBinary(std::vector<wabt::Decompiler::Value, std::allocator<wabt::Decompiler::Value>>&, std::basic_string_view<char, std::char_traits<char>>, bool, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:153:5
    #4 0x5cfb8b in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:473:16
    #5 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #6 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #7 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #8 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #9 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #10 0x5c30b4 in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:825:20
    #11 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
    #12 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
    #13 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
    #14 0x7f12f2272082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x43f04d in _start (/wabt/out/clang/Debug/asan/wasm-decompile+0x43f04d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x144bfe) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::append(char const*, unsigned long)
==1814123==ABORTING

@keithw keithw added the sanitizer failures errors found my sanitizers/fuzzers label Sep 18, 2022
@rathann
Copy link
Contributor

rathann commented Mar 17, 2023

This is CVE-2023-27119.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
sanitizer failures errors found my sanitizers/fuzzers
Projects
None yet
Development

No branches or pull requests

3 participants