WasmEdge is a lightweight, high-performance, and extensible WebAssembly runtime for cloud native, edge, and decentralized applications. It powers serverless apps, embedded functions, microservices, smart contracts, and IoT devices.
We found a mismatch over the allocation and deallocation of variables in file format.cc while testing one of the harnesses made available on OSS-Fuzz repository (wasmedge-fuzztool).
Current State
When testing harness "wasmedge-fuzztool", ASan shows a mismatch in function lld::elf::ELFOptTable::parse() regarding the usage of functions free()/delete/delete[].
Expected State
Allocated variables should be freed using the most appropriate deallocation function and should not leave memory regions that could potentially lead to undefined-behavior when accessed again.
To reproduce the error, simply run the given binary by providing the testcase files as input, with a command similar to ./wasmedge-fuzztool /path_to_testcases/input
The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=address.
Any logs you want to share for showing the specific issue
==18==ERROR: AddressSanitizer: alloc-dealloc-mismatch (operator new vs free) on 0x50300001bd60
#0 0x56482e8fc8b6 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f31e222043c in lld::elf::ELFOptTable::parse(llvm::ArrayRef<char const*>) format.cc
#2 0x7f31e21fdef6 in lld::elf::LinkerDriver::linkerMain(llvm::ArrayRef<char const*>) format.cc
#3 0x7f31e21fd60e in lld::elf::link(llvm::ArrayRef<char const*>, bool, llvm::raw_ostream&, llvm::raw_ostream&) format.cc
#4 0x7f31e216ff2f in (anonymous namespace)::outputNativeLibrary(std::__1::__fs::filesystem::path const&, WasmEdge::LLVM::MemoryBuffer const&) /src/WasmEdge/lib/llvm/codegen.cpp:239:16
#5 0x7f31e2168293 in (anonymous namespace)::outputWasmLibrary(WasmEdge::LLVM::Context, std::__1::__fs::filesystem::path const&, cxx20::span<unsigned char const, 18446744073709551615ul>, WasmEdge::LLVM::MemoryBuffer const&) /src/WasmEdge/lib/llvm/codegen.cpp:322:18
#6 0x7f31e2168293 in WasmEdge::LLVM::CodeGen::codegen(cxx20::span<unsigned char const, 18446744073709551615ul>, WasmEdge::LLVM::Data, std::__1::__fs::filesystem::path) /src/WasmEdge/lib/llvm/codegen.cpp:618:22
#7 0x7f31e1a59606 in WasmEdge::Driver::FuzzTool(unsigned char const*, unsigned long) /src/WasmEdge/lib/driver/fuzzTool.cpp:48:34
#8 0x56482e93c429 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#9 0x56482e93c225 in LLVMFuzzerRunDriver /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c
#10 0x56482e93bddd in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:311:10
#11 0x7f31e12e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#12 0x56482e86178d in _start (/out/wasmedge-fuzztool+0x6f78d)
0x50300001bd60 is located 0 bytes inside of 20-byte region [0x50300001bd60,0x50300001bd74)
allocated by thread T0 here:
#0 0x56482e93996d in operator new(unsigned long) /src/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
#1 0x7f31dc596104 in llvm::Twine::str[abi:cxx11]() const (/out/libLLVM-12.so.1+0xb96104) (BuildId: 79e1e33c0cb9415733304595f9de1f1acff54805)
#2 0x50800000901f (<unknown module>)
SUMMARY: AddressSanitizer: alloc-dealloc-mismatch /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in free
==18==HINT: if you don't care about these errors you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==18==ABORTING
Components
Others
WasmEdge Version or Commit you used
Commit hash c096b24
Operating system information
Ubuntu 20.04
Hardware Architecture
x86_64
Compiler flags and options
Compiler: Clang 18
CMake version: 3.29.2
CMake Flags: Standard OSS-Fuzz default settings for this project, also we used the build flag --sanitizer=address during our tests.
Hi. It looks like a false positive issue, and the error occurs in the lld component.
WasmEdge has nothing to do with this. If you believe this is an error, please create an issue for lld.
Summary
We found a mismatch over the allocation and deallocation of variables in file
format.cc
while testing one of the harnesses made available on OSS-Fuzz repository (wasmedge-fuzztool).Current State
When testing harness "wasmedge-fuzztool", ASan shows a mismatch in function
lld::elf::ELFOptTable::parse()
regarding the usage of functions free()/delete/delete[].Expected State
Allocated variables should be freed using the most appropriate deallocation function and should not leave memory regions that could potentially lead to undefined-behavior when accessed again.
Reproduction steps
In the attached archive you will find:
To reproduce the error, simply run the given binary by providing the testcase files as input, with a command similar to
./wasmedge-fuzztool /path_to_testcases/input
The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag
--sanitizer=address
.Any logs you want to share for showing the specific issue
Components
Others
WasmEdge Version or Commit you used
Commit hash
c096b24
Operating system information
Ubuntu 20.04
Hardware Architecture
x86_64
Compiler flags and options
Compiler: Clang 18 CMake version: 3.29.2 CMake Flags: Standard OSS-Fuzz default settings for this project, also we used the build flag
--sanitizer=address
during our tests.