Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory allocation error in ReadBinaryInterp() cause DoS #2315

Open
goldds96 opened this issue Oct 29, 2023 · 0 comments
Open

Memory allocation error in ReadBinaryInterp() cause DoS #2315

goldds96 opened this issue Oct 29, 2023 · 0 comments

Comments

@goldds96
Copy link

Environments

OS : Ubuntu 18.04 5.4.0-150-generic
Commit : e97d53c
Version : 1.0.34

Vulnerability Description

Affected Tool : wasm-interp
Affected Version : <= 1.0.34
Impact : Denial of Service

  • The ReadBinaryInterp function in src/interp/binary-reader-interp.cc in wabt 1.0.34 can cause a denial of service(memory allocation error) via a crafted wasm file.

PoC

1. Input File

wasm-interp-DOS-poc01.zip

2. Reproduce

$ ~/wabt/bin/wasm-interp wasm-interp-DOS-poc01.wasm

3. Stack Trace

$  ~/wabt/bin/wasm-interp wasm-interp-DOS-poc01.wasm
==3917==AddressSanitizer's allocator is terminating the process instead of returning 0
==3917==If you don't like this behavior set allocator_may_return_null=1
==3917==AddressSanitizer CHECK failed: /build/llvm-toolchain-6.0-QjOn7h/llvm-toolchain-6.0-6.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225 "((0)) != (0)" (0x0, 0x0)
    #0 0x4e5935 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/dskim/wabt/bin/wasm-interp+0x4e5935)
    #1 0x5031e5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/dskim/wabt/bin/wasm-interp+0x5031e5)
    #2 0x4ebd26 in __sanitizer::ReportAllocatorCannotReturnNull() (/home/dskim/wabt/bin/wasm-interp+0x4ebd26)
    #3 0x4ebd8d in __sanitizer::ReturnNullOrDieOnFailure::OnOOM() (/home/dskim/wabt/bin/wasm-interp+0x4ebd8d)
    #4 0x4276de in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/dskim/wabt/bin/wasm-interp+0x4276de)
    #5 0x427b27 in __asan::asan_memalign(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/home/dskim/wabt/bin/wasm-interp+0x427b27)
    #6 0x514d5f in operator new(unsigned long) (/home/dskim/wabt/bin/wasm-interp+0x514d5f)
    #7 0x5b18fb in __gnu_cxx::new_allocator<wabt::interp::DataDesc>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
    #8 0x5b18fb in std::allocator_traits<std::allocator<wabt::interp::DataDesc> >::allocate(std::allocator<wabt::interp::DataDesc>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436
    #9 0x5b18fb in std::_Vector_base<wabt::interp::DataDesc, std::allocator<wabt::interp::DataDesc> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:172
    #10 0x5b18fb in wabt::interp::DataDesc* std::vector<wabt::interp::DataDesc, std::allocator<wabt::interp::DataDesc> >::_M_allocate_and_copy<std::move_iterator<wabt::interp::DataDesc*> >(unsigned long, std::move_iterator<wabt::interp::DataDesc*>, std::move_iterator<wabt::interp::DataDesc*>) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:1260
    #11 0x5b18fb in std::vector<wabt::interp::DataDesc, std::allocator<wabt::interp::DataDesc> >::reserve(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/vector.tcc:73
    #12 0x596d95 in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnDataCount(unsigned int) /home/dskim/wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:756:17
    #13 0x6f28ce in wabt::(anonymous namespace)::BinaryReader::ReadDataCountSection(unsigned long) /home/dskim/wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2846:3
    #14 0x6f28ce in wabt::(anonymous namespace)::BinaryReader::ReadSections(wabt::(anonymous namespace)::BinaryReader::ReadSectionsOptions const&) /home/dskim/wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2969
    #15 0x6eef6e in wabt::(anonymous namespace)::BinaryReader::ReadModule(wabt::(anonymous namespace)::BinaryReader::ReadModuleOptions const&) /home/dskim/wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:3012:3
    #16 0x6eef6e in wabt::ReadBinary(void const*, unsigned long, wabt::BinaryReaderDelegate*, wabt::ReadBinaryOptions const&) /home/dskim/wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:3029
    #17 0x56b7df in wabt::interp::ReadBinaryInterp(std::basic_string_view<char, std::char_traits<char> >, void const*, unsigned long, wabt::ReadBinaryOptions const&, std::vector<wabt::Error, std::allocator<wabt::Error> >*, wabt::interp::ModuleDesc*) /home/dskim/wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:1604:10
    #18 0x51cbdd in ProgramMain(int, char**) /home/dskim/wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:324:3
    #19 0x7f7407598c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #20 0x41c929 in _start (/home/dskim/wabt/bin/wasm-interp+0x41c929)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@goldds96