search

WasmEdge / WasmEdge

WasmEdge is a lightweight, high-performance, and extensible WebAssembly runtime for cloud native, edge, and decentralized applications. It powers serverless apps, embedded functions, microservices, smart contracts, and IoT devices.
https://WasmEdge.org
Apache License 2.0
8.5k stars 767 forks source link

Allocation-deallocation mismatch bug in function `lld::elf::ELFOptTable::parse()` #3727

Closed skorpion98 closed 1 month ago

skorpion98 commented 1 month ago

Summary

We found a mismatch over the allocation and deallocation of variables in file format.cc while testing one of the harnesses made available on OSS-Fuzz repository (wasmedge-fuzztool).

Current State

When testing harness "wasmedge-fuzztool", ASan shows a mismatch in function lld::elf::ELFOptTable::parse() regarding the usage of functions free()/delete/delete[].

Expected State

Allocated variables should be freed using the most appropriate deallocation function and should not leave memory regions that could potentially lead to undefined-behavior when accessed again.

Reproduction steps

In the attached archive you will find:

To reproduce the error, simply run the given binary by providing the testcase files as input, with a command similar to ./wasmedge-fuzztool /path_to_testcases/input

The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=address.

Any logs you want to share for showing the specific issue

==18==ERROR: AddressSanitizer: alloc-dealloc-mismatch (operator new vs free) on 0x50300001bd60
    #0 0x56482e8fc8b6 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7f31e222043c in lld::elf::ELFOptTable::parse(llvm::ArrayRef<char const*>) format.cc
    #2 0x7f31e21fdef6 in lld::elf::LinkerDriver::linkerMain(llvm::ArrayRef<char const*>) format.cc
    #3 0x7f31e21fd60e in lld::elf::link(llvm::ArrayRef<char const*>, bool, llvm::raw_ostream&, llvm::raw_ostream&) format.cc
    #4 0x7f31e216ff2f in (anonymous namespace)::outputNativeLibrary(std::__1::__fs::filesystem::path const&, WasmEdge::LLVM::MemoryBuffer const&) /src/WasmEdge/lib/llvm/codegen.cpp:239:16
    #5 0x7f31e2168293 in (anonymous namespace)::outputWasmLibrary(WasmEdge::LLVM::Context, std::__1::__fs::filesystem::path const&, cxx20::span<unsigned char const, 18446744073709551615ul>, WasmEdge::LLVM::MemoryBuffer const&) /src/WasmEdge/lib/llvm/codegen.cpp:322:18
    #6 0x7f31e2168293 in WasmEdge::LLVM::CodeGen::codegen(cxx20::span<unsigned char const, 18446744073709551615ul>, WasmEdge::LLVM::Data, std::__1::__fs::filesystem::path) /src/WasmEdge/lib/llvm/codegen.cpp:618:22
    #7 0x7f31e1a59606 in WasmEdge::Driver::FuzzTool(unsigned char const*, unsigned long) /src/WasmEdge/lib/driver/fuzzTool.cpp:48:34
    #8 0x56482e93c429 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #9 0x56482e93c225 in LLVMFuzzerRunDriver /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c
    #10 0x56482e93bddd in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:311:10
    #11 0x7f31e12e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #12 0x56482e86178d in _start (/out/wasmedge-fuzztool+0x6f78d)

0x50300001bd60 is located 0 bytes inside of 20-byte region [0x50300001bd60,0x50300001bd74)
allocated by thread T0 here:
    #0 0x56482e93996d in operator new(unsigned long) /src/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
    #1 0x7f31dc596104 in llvm::Twine::str[abi:cxx11]() const (/out/libLLVM-12.so.1+0xb96104) (BuildId: 79e1e33c0cb9415733304595f9de1f1acff54805)
    #2 0x50800000901f  (<unknown module>)

SUMMARY: AddressSanitizer: alloc-dealloc-mismatch /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in free
==18==HINT: if you don't care about these errors you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==18==ABORTING

Components

Others

WasmEdge Version or Commit you used

Commit hash c096b24

Operating system information

Ubuntu 20.04

Hardware Architecture

x86_64

Compiler flags and options

Compiler: Clang 18 CMake version: 3.29.2 CMake Flags: Standard OSS-Fuzz default settings for this project, also we used the build flag --sanitizer=address during our tests.

hydai commented 1 month ago

Hi. It looks like a false positive issue, and the error occurs in the lld component. WasmEdge has nothing to do with this. If you believe this is an error, please create an issue for lld.