Multiple heap-buffer-overflow vulnerabilities in interpret

[haruki3hhh]

Vuln-1

Version

385e13c

Compile

CFLAGS="-g -fsanitize=address" make

ASAN Report

root@9dc6ce043bcb:~/Ablation/wac-asan# ./wace ../wasm-fuzz/fuzz_out_wac/crashes/id\:000000\,sig\:11\,src\:000236\,op\:python\,pos\:0 
=================================================================
==2066617==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3b0046f at pc 0x5664afca bp 0xffcf5ae8 sp 0xffcf5ad8
WRITE of size 1 at 0xf3b0046f thread T0
    #0 0x5664afc9 in interpret /root/Ablation/wac-asan/wa.c:993
    #1 0x56658459 in load_module /root/Ablation/wac-asan/wa.c:1911
    #2 0x5665a0e9 in main /root/Ablation/wac-asan/wace.c:64
    #3 0xf7387ed4 in __libc_start_main ../csu/libc-start.c:308
    #4 0x5663d704 in _start (/root/Ablation/wac-asan/wace+0x3704)

0xf3b0046f is located 1 bytes to the left of 1-byte region [0xf3b00470,0xf3b00471)
allocated by thread T0 here:
    #0 0xf79da9f7 in __interceptor_calloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x56659299 in acalloc /root/Ablation/wac-asan/platform_libc.c:16
    #2 0x566562b4 in load_module /root/Ablation/wac-asan/wa.c:1708
    #3 0x5665a0e9 in main /root/Ablation/wac-asan/wace.c:64
    #4 0xf7387ed4 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Ablation/wac-asan/wa.c:993 in interpret
Shadow bytes around the buggy address:
  0x3e760030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760060: fa fa fa fa fa fa fa fa fa fa 01 fa fa fa 01 fa
  0x3e760070: fa fa 01 fa fa fa 00 04 fa fa 00 04 fa fa 06 fa
=>0x3e760080: fa fa fd fd fa fa 07 fa fa fa fd fd fa[fa]01 fa
  0x3e760090: fa fa 04 fa fa fa 01 fa fa fa 01 fa fa fa 04 fa
  0x3e7600a0: fa fa 00 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x3e7600b0: fa fa 00 fa fa fa 04 fa fa fa 00 fa fa fa 00 01
  0x3e7600c0: fa fa 00 02 fa fa 00 04 fa fa 00 07 fa fa 00 07
  0x3e7600d0: fa fa 00 00 fa fa 00 00 fa fa 00 07 fa fa 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2066617==ABORTING

Reproduce

./wace <PoC>

PoC

PoC

[haruki3hhh]

Vuln-2

Version

385e13c

Compile

CFLAGS="-g -fsanitize=address" make

ASAN Report

root@9dc6ce043bcb:~/Ablation/wac-asan# ./wace ../wasm-fuzz/fuzz_out_wac/crashes/id\:000001\,sig\:11\,src\:000236\,op\:python\,pos\:0 
=================================================================
==2258725==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf28ee774 at pc 0x566038d5 bp 0xffa93578 sp 0xffa93568
READ of size 12 at 0xf28ee774 thread T0
    #0 0x566038d4 in interpret /root/Ablation/wac-asan/wa.c:860
    #1 0x56613459 in load_module /root/Ablation/wac-asan/wa.c:1911
    #2 0x566150e9 in main /root/Ablation/wac-asan/wace.c:64
    #3 0xf742aed4 in __libc_start_main ../csu/libc-start.c:308
    #4 0x565f8704 in _start (/root/Ablation/wac-asan/wace+0x3704)

0xf28ee774 is located 140 bytes to the left of 1114228-byte region [0xf28ee800,0xf29fe874)
allocated by thread T0 here:
    #0 0xf7a7d9f7 in __interceptor_calloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x56614299 in acalloc /root/Ablation/wac-asan/platform_libc.c:16
    #2 0x5660e2ee in load_module /root/Ablation/wac-asan/wa.c:1455
    #3 0x566150e9 in main /root/Ablation/wac-asan/wace.c:64
    #4 0xf742aed4 in __libc_start_main ../csu/libc-start.c:308

Reproduce

./wace <PoC>

PoC

PoC

[haruki3hhh]

Version

385e13c

Compile

CFLAGS="-g -fsanitize=address" make

ASAN report

==12882==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf27ee7b4 at pc 0x5657ee92 bp 0xfffbf918 sp 0xfffbf908
READ of size 4 at 0xf27ee7b4 thread T0
    #0 0x5657ee91 in interpret /root/Ablation/wac-asan/wa.c:1380
    #1 0x56585459 in load_module /root/Ablation/wac-asan/wa.c:1911
    #2 0x565870e9 in main /root/Ablation/wac-asan/wace.c:64
    #3 0xf7381ed4 in __libc_start_main ../csu/libc-start.c:308
    #4 0x5656a704 in _start (/root/Ablation/wac-asan/wace+0x3704)

0xf27ee7b4 is located 76 bytes to the left of 1114228-byte region [0xf27ee800,0xf28fe874)
allocated by thread T0 here:
    #0 0xf79d49f7 in __interceptor_calloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x56586299 in acalloc /root/Ablation/wac-asan/platform_libc.c:16
    #2 0x565802ee in load_module /root/Ablation/wac-asan/wa.c:1455
    #3 0x565870e9 in main /root/Ablation/wac-asan/wace.c:64
    #4 0xf7381ed4 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Ablation/wac-asan/wa.c:1380 in interpret

Reproduce

./wace https://github.com/haruki3hhh/fuzzing/blob/main/wac/id%3A000170%2Csig%3A11%2Csrc%3A000650%2Cop%3Apython%2Cpos%3A0

[haruki3hhh]

Version

385e13c

Compile

CFLAGS="-g -fsanitize=address" make

ASAN report

=================================================================
==15707==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf214f064 at pc 0x5661314a bp 0xffc7e398 sp 0xffc7e388
READ of size 4 at 0xf214f064 thread T0
    #0 0x56613149 in interpret /root/Ablation/wac-asan/wa.c:706
    #1 0x56624459 in load_module /root/Ablation/wac-asan/wa.c:1911
    #2 0x566260e9 in main /root/Ablation/wac-asan/wace.c:64
    #3 0xf7425ed4 in __libc_start_main ../csu/libc-start.c:308
    #4 0x56609704 in _start (/root/Ablation/wac-asan/wace+0x3704)

Address 0xf214f064 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Ablation/wac-asan/wa.c:706 in interpret

Reproduce

./wace https://github.com/haruki3hhh/fuzzing/blob/main/wac/id%3A000090%2Csig%3A11%2Csrc%3A001005%2Cop%3Apython%2Cpos%3A0

[haruki3hhh]

Version

385e13c

Compile

CFLAGS="-g -fsanitize=address" make

ASAN report

root@9dc6ce043bcb:~/Ablation/wasm-fuzz/fuzz_out_wac/crashes# ./wace id:000070,sig:11,src:000820,op:python,pos:0
=================================================================
==17247==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3c004ee at pc 0x566333bc bp 0xffea6808 sp 0xffea67f8
READ of size 8 at 0xf3c004ee thread T0
    #0 0x566333bb in interpret /root/Ablation/wac-asan/wa.c:925
    #1 0x56642459 in load_module /root/Ablation/wac-asan/wa.c:1911
    #2 0x566440e9 in main /root/Ablation/wac-asan/wace.c:64
    #3 0xf7461ed4 in __libc_start_main ../csu/libc-start.c:308
    #4 0x56627704 in _start (/root/Ablation/wac-asan/wace+0x3704)

0xf3c004ee is located 2 bytes to the left of 4-byte region [0xf3c004f0,0xf3c004f4)
allocated by thread T0 here:
    #0 0xf7ab49f7 in __interceptor_calloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x56643299 in acalloc /root/Ablation/wac-asan/platform_libc.c:16
    #2 0x5663dda6 in load_module /root/Ablation/wac-asan/wa.c:1515
    #3 0x566440e9 in main /root/Ablation/wac-asan/wace.c:64
    #4 0xf7461ed4 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Ablation/wac-asan/wa.c:925 in interpret

Reproduce

./wace https://github.com/haruki3hhh/fuzzing/blob/main/wac/id%3A000070%2Csig%3A11%2Csrc%3A000820%2Cop%3Apython%2Cpos%3A0

[haruki3hhh]

ASAN report

=================================================================
==22338==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf27ee798 at pc 0x5657218c bp 0xffdd4718 sp 0xffdd4708
READ of size 12 at 0xf27ee798 thread T0
#0 0x5657218b in interpret /root/Ablation/wac-asan/wa.c:832
#1 0x56582459 in load_module /root/Ablation/wac-asan/wa.c:1911
#2 0x565840e9 in main /root/Ablation/wac-asan/wace.c:64
#3 0xf73bced4 in __libc_start_main ../csu/libc-start.c:308
#4 0x56567704 in _start (/root/Ablation/wac-asan/wace+0x3704)

0xf27ee798 is located 104 bytes to the left of 1114228-byte region [0xf27ee800,0xf28fe874)
allocated by thread T0 here:
#0 0xf7a0f9f7 in __interceptor_calloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x56583299 in acalloc /root/Ablation/wac-asan/platform_libc.c:16
#2 0x5657d2ee in load_module /root/Ablation/wac-asan/wa.c:1455
#3 0x565840e9 in main /root/Ablation/wac-asan/wace.c:64
#4 0xf73bced4 in __libc_start_main ../csu/libc-start.c:308

reproduce

./wace https://github.com/haruki3hhh/fuzzing/blob/main/wac/id%3A000030%2Csig%3A11%2Csrc%3A000539%2Cop%3Apython%2Cpos%3A0

[haruki3hhh]

ASAN report

==23102==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf28ee574 at pc 0x5659d10e bp 0xff9a2ac8 sp 0xff9a2ab8
READ of size 4 at 0xf28ee574 thread T0
#0 0x5659d10d in interpret /root/Ablation/wac-asan/wa.c:1168
#1 0x565a7459 in load_module /root/Ablation/wac-asan/wa.c:1911
#2 0x565a90e9 in main /root/Ablation/wac-asan/wace.c:64
#3 0xf740ced4 in __libc_start_main ../csu/libc-start.c:308
#4 0x5658c704 in _start (/root/Ablation/wac-asan/wace+0x3704)

0xf28ee574 is located 652 bytes to the left of 1114228-byte region [0xf28ee800,0xf29fe874)
allocated by thread T0 here:
#0 0xf7a5f9f7 in __interceptor_calloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x565a8299 in acalloc /root/Ablation/wac-asan/platform_libc.c:16
#2 0x565a22ee in load_module /root/Ablation/wac-asan/wa.c:1455
#3 0x565a90e9 in main /root/Ablation/wac-asan/wace.c:64
#4 0xf740ced4 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Ablation/wac-asan/wa.c:1168 in interpret

reproduce

./wace https://github.com/haruki3hhh/fuzzing/blob/main/wac/id%3A000025%2Csig%3A11%2Csrc%3A000510%2Cop%3Apython%2Cpos%3A0

[haruki3hhh]

asan report

=================================================================
==25147==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3b00493 at pc 0x565de1e5 bp 0xffa4f628 sp 0xffa4f618
READ of size 2 at 0xf3b00493 thread T0
#0 0x565de1e4 in interpret /root/Ablation/wac-asan/wa.c:947
#1 0x565ec459 in load_module /root/Ablation/wac-asan/wa.c:1911
#2 0x565ee0e9 in main /root/Ablation/wac-asan/wace.c:64
#3 0xf737fed4 in __libc_start_main ../csu/libc-start.c:308
#4 0x565d1704 in _start (/root/Ablation/wac-asan/wace+0x3704)

0xf3b00494 is located 0 bytes to the right of 4-byte region [0xf3b00490,0xf3b00494)
allocated by thread T0 here:
#0 0xf79d29f7 in __interceptor_calloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x565ed299 in acalloc /root/Ablation/wac-asan/platform_libc.c:16
#2 0x565ea0f7 in load_module /root/Ablation/wac-asan/wa.c:1694
#3 0x565ee0e9 in main /root/Ablation/wac-asan/wace.c:64
#4 0xf737fed4 in __libc_start_main ../csu/libc-start.c:308

reproduce

./wace https://github.com/haruki3hhh/fuzzing/blob/main/wac/id%3A000145%2Csig%3A11%2Csrc%3A000666%2Cop%3Apython%2Cpos%3A0