Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault in wasm_dis at p/wasm/wasm.c:1112 #21363

Closed
Q1IQ opened this issue Feb 20, 2023 · 1 comment
Closed

Segmentation fault in wasm_dis at p/wasm/wasm.c:1112 #21363

Q1IQ opened this issue Feb 20, 2023 · 1 comment

Comments

@Q1IQ
Copy link

Q1IQ commented Feb 20, 2023

Description

When parsing the wasm file with r2, using the pd command may result in a segmentation fault, because NULL was incorrectly passed to strdup.

Environment

# date
Mon Feb 20 02:38:13 AKST 2023
# r2 -v
radare2 5.8.3 0 @ linux-x86-64 git.5.8.3
commit: 5.8.3 build: 2023-02-16__23:25:48
# uname -ms
Linux x86_64

Commit : 39f4292

Proof of concept

poc.wasm

Stack dump

pwndbg> r /pwn/poc.wasm
Starting program: /usr/local/bin/r2 /pwn/poc.wasm
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ERROR: unknown section id: 13
ERROR: unknown section id: 109
 -- Check your IO plugins with 'r2 -L'
[0x000000be]> pd

Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65	../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
pwndbg> context
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────
 RAX  0x0
*RBX  0x555555555640 (__libc_csu_init) ◂— endbr64
 RCX  0x0
 RDX  0x0
 RDI  0x0
*RSI  0x555555680729 ◂— 0x1000005555550000
*R8   0x7ffff6df5852 (wasm_decode) ◂— endbr64
*R9   0x1f
*R10  0x555555559010 ◂— 0x6000700070007
*R11  0x7ffff7d95be0 (main_arena+96) —▸ 0x55555582bd80 ◂— 0x0
*R12  0x5555555551c0 (_start) ◂— endbr64
*R13  0x7fffffffe6d0 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x0
*RSP  0x7fffffffcb48 —▸ 0x7ffff7c48383 (strdup+19) ◂— lea r12, [rax + 1]
*RIP  0x7ffff7d316e5 (__strlen_avx2+21) ◂— vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
──────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────
 ► 0x7ffff7d316e5 <__strlen_avx2+21>     vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
   0x7ffff7d316e9 <__strlen_avx2+25>     vpmovmskb eax, ymm1
   0x7ffff7d316ed <__strlen_avx2+29>     test   eax, eax
   0x7ffff7d316ef <__strlen_avx2+31>     jne    __strlen_avx2+272                <__strlen_avx2+272>
    ↓
   0x7ffff7d317e0 <__strlen_avx2+272>    tzcnt  eax, eax
   0x7ffff7d317e4 <__strlen_avx2+276>    add    rax, rdi
   0x7ffff7d317e7 <__strlen_avx2+279>    sub    rax, rdx
   0x7ffff7d317ea <__strlen_avx2+282>    vzeroupper
   0x7ffff7d317ed <__strlen_avx2+285>    ret

   0x7ffff7d317ee <__strlen_avx2+286>    nop
   0x7ffff7d317f0 <__strlen_avx2+288>    tzcnt  eax, eax
────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffcb48 —▸ 0x7ffff7c48383 (strdup+19) ◂— lea r12, [rax + 1]
01:0008│     0x7fffffffcb50 —▸ 0x555555680729 ◂— 0x1000005555550000
02:0010│     0x7fffffffcb58 —▸ 0x7fffffffcca0 —▸ 0x7fffffffcd00 —▸ 0x7fffffffcd40 —▸ 0x7fffffffcda0 ◂— ...
03:0018│     0x7fffffffcb60 —▸ 0x5555555551c0 (_start) ◂— endbr64
04:0020│     0x7fffffffcb68 —▸ 0x7ffff6df4574 (wasm_dis+4394) ◂— mov rdx, rax
05:0028│     0x7fffffffcb70 ◂— 0x0
06:0030│     0x7fffffffcb78 —▸ 0x7ffff7d95b80 (main_arena) ◂— 0x0
07:0038│     0x7fffffffcb80 —▸ 0x555555782140 ◂— '       dd '
──────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────
 ► f 0   0x7ffff7d316e5 __strlen_avx2+21
   f 1   0x7ffff7c48383 strdup+19
   f 2   0x7ffff6df4574 wasm_dis+4394
   f 3   0x7ffff6df5906 wasm_decode+180
   f 4   0x7ffff6da22dd r_arch_decode+136
   f 5   0x7ffff64ed2e1 r_anal_op+580
   f 6   0x7ffff7827c22 r_core_print_disasm+2478
   f 7   0x7ffff7772b54 cmd_print+15553
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x00007ffff7c48383 in __GI___strdup (s=0x0) at strdup.c:41
#2  0x00007ffff6df4574 in wasm_dis (op=0x7fffffffcce0, buf=0x555555680630 "\375\240\001\375d\v", buf_len=249, txt=true) at p/wasm/wasm.c:1112
#3  0x00007ffff6df5906 in wasm_decode (s=0x555555677b10, op=0x555555781c10, mask=R_ARCH_OP_MASK_ALL) at p/wasm/plugin.c:366
#4  0x00007ffff6da22dd in r_arch_decode (a=0x55555559a320, op=0x555555781c10, mask=31) at arch.c:225
#5  0x00007ffff64ed2e1 in r_anal_op (anal=0x55555559c910, op=0x555555781c10, addr=197, data=0x555555559937 "\375\240\001\375d\v", len=249, mask=R_ARCH_OP_MASK_ALL) at op.c:113
#6  0x00007ffff7827c22 in r_core_print_disasm (core=0x7ffff5dea010, addr=190, buf=0x555555559930 "A\205\376\377w\375\017\375\240\001\375d\v", len=256, count=64, pdu_condition_type=pdu_instruction, pdu_condition=0x0, count_bytes=false, json=false, pj=0x0, pdf=0x0) at disasm.c:5727
#7  0x00007ffff7772b54 in cmd_print (data=0x7ffff5dea010, input=0x55555574ff61 "d") at cmd_print.c:6708
#8  0x00007ffff77ef9dc in r_cmd_call (cmd=0x5555555e6ff0, input=0x55555574ff60 "pd") at cmd_api.c:520
#9  0x00007ffff778ca90 in r_core_cmd_subst_i (core=0x7ffff5dea010, cmd=0x55555574ff60 "pd", colon=0x0, tmpseek=0x7fffffffe114) at cmd.c:4930
#10 0x00007ffff77882cb in r_core_cmd_subst (core=0x7ffff5dea010, cmd=0x55555574ff60 "pd") at cmd.c:3760
#11 0x00007ffff778fcd2 in run_cmd_depth (core=0x7ffff5dea010, cmd=0x55555574ef30 "pd") at cmd.c:5829
#12 0x00007ffff779017b in r_core_cmd (core=0x7ffff5dea010, cstr=0x55555574eef0 "pd", log=true) at cmd.c:5913
#13 0x00007ffff76ab199 in r_core_prompt_exec (r=0x7ffff5dea010) at core.c:3556
#14 0x00007ffff76aa6ea in r_core_prompt_loop (r=0x7ffff5dea010) at core.c:3374
#15 0x00007ffff7dc7c9f in r_main_radare2 (argc=2, argv=0x7fffffffe6d8) at radare2.c:1700
#16 0x0000555555555638 in main (argc=2, argv=0x7fffffffe6d8) at radare2.c:104
#17 0x00007ffff7bcd083 in __libc_start_main (main=0x5555555555e0 <main>, argc=2, argv=0x7fffffffe6d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe6c8) at ../csu/libc-start.c:308
#18 0x00005555555551ee in _start ()

Credit

Q1IQ(@Q1IQ)

@trufae
Copy link
Collaborator

trufae commented Feb 20, 2023

thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants