search

WebAssembly / wabt

The WebAssembly Binary Toolkit
Apache License 2.0
6.86k stars 699 forks source link

SEGV in wabt::Decompiler::WrapChild #1990

Open Q1IQ opened 2 years ago

Q1IQ commented 2 years ago

Environment

OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : 3054d61f703d609995798f872fc86b462617c294
Version : 1.0.29
Build   : make clang-debug-asan

Proof of concept

poc-3.wasm.zip

Stack dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1814123==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffffe8 (pc 0x7f12f2723bfe bp 0x7ffe034681e0 sp 0x7ffe03467e18 T0)
==1814123==The signal is caused by a READ memory access.
    #0 0x7f12f2723bfe in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::append(char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x144bfe)
    #1 0x609269 in wabt::Decompiler::WrapChild(wabt::Decompiler::Value&, std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:125:18
    #2 0x619663 in wabt::Decompiler::BracketIfNeeded(wabt::Decompiler::Value&, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:143:11
    #3 0x60ce08 in wabt::Decompiler::WrapBinary(std::vector<wabt::Decompiler::Value, std::allocator<wabt::Decompiler::Value>>&, std::basic_string_view<char, std::char_traits<char>>, bool, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:153:5
    #4 0x5cfb8b in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:473:16
    #5 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #6 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #7 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #8 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #9 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #10 0x5c30b4 in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:825:20
    #11 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
    #12 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
    #13 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
    #14 0x7f12f2272082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x43f04d in _start (/wabt/out/clang/Debug/asan/wasm-decompile+0x43f04d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x144bfe) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::append(char const*, unsigned long)
==1814123==ABORTING
rathann commented 1 year ago

This is CVE-2023-27119.