Out-of-Bound Memory Write in DataSegment::Drop()

[mobsceneZ]

Environment

OS               : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Commit           : 0e78c24fd231d5ee67ccd271bfa317faa963281c
Version          : 1.0.33 (git~1.0.33-35-gdddc03d3)
Clang Verison    : 12.0.1
Build            : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" && cmake .. && cmake --build .
Affected Tool    : wasm-interp
Enabled Features : None
Impact           : Out-of-Bound Memory Write Access

Proof of Concept

poc-wasm-interp-02.zip

Stack Trace Provide By AddressSanitizer

$  ~/wabt_asan/bin/wasm-interp poc.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000067f426 bp 0x7ffd04e28310 sp 0x7ffd04e28300 T0)
==3641==The signal is caused by a WRITE memory access.
==3641==Hint: address points to the zero page.
    #0 0x67f426 in wabt::interp::DataSegment::Drop() /home/lain/wabt_asan/include/wabt/interp/interp-inl.h:906:9
    #1 0x6670be in wabt::interp::Thread::DoDataDrop(wabt::interp::Instr) /home/lain/wabt_asan/src/interp/interp.cc:2081:33
    #2 0x65b29a in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:1511:32
    #3 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:1086:19
    #4 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:1078:14
    #5 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:428:19
    #6 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*, wabt::Stream*) /home/lain/wabt_asan/src/interp/interp.cc:394:10
    #7 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:944:22
    #8 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>*) /home/lain/wabt_asan/src/tools/wasm-interp.cc:340:19
    #9 0x562e82 in ReadAndRunModule(char const*) /home/lain/wabt_asan/src/tools/wasm-interp.cc:423:3
    #10 0x561f67 in ProgramMain(int, char**) /home/lain/wabt_asan/src/tools/wasm-interp.cc:450:25
    #11 0x563191 in main /home/lain/wabt_asan/src/tools/wasm-interp.cc:456:10
    #12 0x7f77c7bdc082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x4845ed in _start (/home/lain/wabt_asan/bin/wasm-interp+0x4845ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wabt_asan/include/wabt/interp/interp-inl.h:906:9 in wabt::interp::DataSegment::Drop()
==3641==ABORTING