search

bytecodealliance / wasm-micro-runtime

WebAssembly Micro Runtime (WAMR)
Apache License 2.0
4.84k stars 618 forks source link

Heap Buffer Overflow inside "reserve_block_ret" Function #3513

Closed mobsceneZ closed 3 months ago

mobsceneZ commented 3 months ago

Subject of the issue

Running the CLI iwasm with the given testcase results in segmentation fault, which is caused by heap buffer overflow.

Test case

iwasm-poc-04.zip

Your environment

OS               : Linux 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Commit           : 028f43bc18494866c44666e54e9c5a2cd84152f5
Version          : 2.1.0
Clang Verison    : 13.0.0
Affected Tool    : iwasm
Enabled Features : Bulk Memory, Reference Types

Steps to reproduce

Build            : cd product-mini/platforms/linux/ && mkdir -p build && cd build && export CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" && cmake -DWAMR_BUILD_BULK_MEMORY=1 -DWAMR_BUILD_REF_TYPES=1 .. && make -j
Command          : iwasm -f main iwasm-poc-04

Expected behavior

The program should exit gracefully with possibly some error information.

Actual behavior

Here is the stack trace provided by AddressSanitizer:

=================================================================
==20090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000019e at pc 0x55f0501e20fb bp 0x7ffd6c52f960 sp 0x7ffd6c52f958
READ of size 2 at 0x60600000019e thread T0
    #0 0x55f0501e20fa in reserve_block_ret /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:9754:41
    #1 0x55f0501c1b98 in wasm_loader_prepare_bytecode /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:11622:17
    #2 0x55f0501acc10 in load_from_sections /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:6130:14
    #3 0x55f0501b02c5 in load /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:6536:13
    #4 0x55f0501b02c5 in wasm_loader_load /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:6713:10
    #5 0x55f050145f57 in wasm_runtime_load_ex /home/lain/wamr/core/iwasm/common/wasm_runtime_common.c:1353:33
    #6 0x55f0501462b0 in wasm_runtime_load /home/lain/wamr/core/iwasm/common/wasm_runtime_common.c:1398:12
    #7 0x55f050141248 in main /home/lain/wamr/product-mini/platforms/linux/../posix/main.c:924:25
    #8 0x7fcf66a2b082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x55f0500716bd in _start (/home/lain/wamr/product-mini/platforms/linux/build/iwasm+0x396bd)

0x60600000019e is located 2 bytes before 64-byte region [0x6060000001a0,0x6060000001e0)
allocated by thread T0 here:
    #0 0x55f050108e1e in __interceptor_malloc /home/build-user/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55f0501b111f in loader_malloc /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:384:20
    #2 0x55f0501b111f in wasm_loader_ctx_init /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:8215:15
    #3 0x55f0501b111f in wasm_loader_prepare_bytecode /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:10954:24
    #4 0x55f0501acc10 in load_from_sections /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:6130:14
    #5 0x55f0501b02c5 in load /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:6536:13
    #6 0x55f0501b02c5 in wasm_loader_load /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:6713:10
    #7 0x55f050145f57 in wasm_runtime_load_ex /home/lain/wamr/core/iwasm/common/wasm_runtime_common.c:1353:33
    #8 0x55f050141248 in main /home/lain/wamr/product-mini/platforms/linux/../posix/main.c:924:25
    #9 0x7fcf66a2b082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lain/wamr/core/iwasm/interpreter/wasm_loader.c:9754:41 in reserve_block_ret
Shadow bytes around the buggy address:
  0x605fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x605fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x606000000000: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x606000000080: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x606000000100: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x606000000180: fa fa fa[fa]00 00 00 00 00 00 00 00 fa fa fa fa
  0x606000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x606000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x606000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x606000000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x606000000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20090==ABORTING
wenyongh commented 3 months ago

@mobsceneZ Thanks for spotting the issue! I submitted PR #3516 to fix it, could you please help have a look and try again?