Heap out of bounds read - WASM_OP_I64_STORE8: wasm_interp_call_func_bytecode (wasm_interp.c:1230)

[pventuzelo]

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit 9a02c49

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1230)
case: WASM_OP_I64_STORE8

Steps to reproduce the behavior

• Download:
  PoC.zip

• Run:
  ./iwasm PoC.wasm

Additional Informations

Crash

[1]    23333 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810dc --> 0x0 
RCX: 0x0 
RDX: 0x41 ('A')
RSI: 0x7fffffffce0c --> 0xffffd0e000000001 
RDI: 0x5555557810e0 --> 0x100000000 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x555555564068 (<wasm_interp_call_func_bytecode+19497>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x0 
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f163 --> 0xbc85e44100c14103 
R13: 0x5555557810fc --> 0x7f03 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555564056 <wasm_interp_call_func_bytecode+19479>:	jbe    0x5555555640e4 <wasm_interp_call_func_bytecode+19621>
   0x55555556405c <wasm_interp_call_func_bytecode+19485>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555564061 <wasm_interp_call_func_bytecode+19490>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x555555564068 <wasm_interp_call_func_bytecode+19497>:	mov    rdx,QWORD PTR [rax+0x18]
   0x55555556406c <wasm_interp_call_func_bytecode+19501>:	mov    ecx,DWORD PTR [rbp-0x6b0]
   0x555555564072 <wasm_interp_call_func_bytecode+19507>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555564079 <wasm_interp_call_func_bytecode+19514>:	mov    eax,DWORD PTR [rax+0x30]
   0x55555556407c <wasm_interp_call_func_bytecode+19517>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x1007f3c01 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555564068 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1230
1230	        DEF_OP_STORE(uint64, I64, *(uint8*)maddr = (uint8)sval);
#0  0x0000555555564068 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1230
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==23329== Memcheck, a memory error detector
==23329== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23329== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==23329== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x5555555640f9/PoC.wasm
==23329== 
==23329== Invalid read of size 8
==23329==    at 0x118068: wasm_interp_call_func_bytecode (wasm_interp.c:1230)
==23329==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==23329==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==23329==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==23329==    by 0x10BAD7: app_instance_main (main.c:54)
==23329==    by 0x10C0EA: main (main.c:217)
==23329==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==23329== 
==23329== 
==23329== Process terminating with default action of signal 11 (SIGSEGV)
==23329==  Access not within mapped region at address 0x18
==23329==    at 0x118068: wasm_interp_call_func_bytecode (wasm_interp.c:1230)
==23329==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==23329==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==23329==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==23329==    by 0x10BAD7: app_instance_main (main.c:54)
==23329==    by 0x10C0EA: main (main.c:217)
==23329==  If you believe this happened as a result of a stack
==23329==  overflow in your program's main thread (unlikely but
==23329==  possible), you can try to increase the size of the
==23329==  main thread stack using the --main-stacksize= flag.
==23329==  The main thread stack size used in this run was 8388608.
==23329== 
==23329== HEAP SUMMARY:
==23329==     in use at exit: 0 bytes in 0 blocks
==23329==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==23329== 
==23329== All heap blocks were freed -- no leaks are possible
==23329== 
==23329== For counts of detected and suppressed errors, rerun with: -v
==23329== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    23329 segmentation fault  valgrind ./iwasm 

[pventuzelo]

Fixed with c47baf2