Open Messi-Q opened 2 months ago
Author: Peng Qian messi.qp711@gmail.com Date: Fri Jul 13:11:18 2024
cd wasm-micro-runtime/product-mini/platforms/linux mkdir build cd build cmake -DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address" -DWAMR_BUILD_INTERP=1 -DWAMR_BUILD_FAST_INTERP=1 .. make
mkdir build-no-asan cd build-no-asan cmake -DWAMR_BUILD_INTERP=1 -DWAMR_BUILD_FAST_INTERP=1 .. make
./iwasm id:000211,sig:06,src:000376,op:python,pos:0
<= : 91.515296% 84540 > : 8.484704% 7838 Exception: out of bounds memory access
================================================================= ==3984028==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff47a80350 at pc 0x7fedd5527a6a bp 0x7fff47a80310 sp 0x7fff47a7fab8 WRITE of size 128 at 0x7fff47a80350 thread T0 #0 0x7fedd5527a69 in __interceptor_sigemptyset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:3959 #1 0x5611196970cb in mask_signals /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/shared/platform/common/posix/posix_thread.c:580 #2 0x56111964862a in call_wasm_with_hw_bound_check /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3390 #3 0x56111964af64 in wasm_call_function /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3417 #4 0x56111963b8d0 in wasm_runtime_call_wasm /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:2426 #5 0x561119632f9c in execute_main /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/common/wasm_application.c:126 #6 0x561119632f9c in wasm_application_execute_main /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/common/wasm_application.c:285 #7 0x56111962cb00 in app_instance_main /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:119 #8 0x56111962cb00 in main /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:995 #9 0x7fedd51a7082 in __libc_start_main ../csu/libc-start.c:308 #10 0x56111962e2ed in _start (/home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/product-mini/platforms/linux/build-fast/iwasm+0x232ed) Address 0x7fff47a80350 is located in stack of thread T0 at offset 160 in frame #0 0x56111971573f in wasm_interp_call_wasm /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/interpreter/wasm_interp_fast.c:6087 This frame has 1 object(s): [32, 160) 'buf' (line 6106) <== Memory access at offset 160 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:3959 in __interceptor_sigemptyset Shadow bytes around the buggy address: 0x100068f48010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100068f48020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100068f48030: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 01 f3 0x100068f48040: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100068f48050: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 =>0x100068f48060: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00 0x100068f48070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100068f48080: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 0x100068f48090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100068f480a0: 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 0x100068f480b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3984028==ABORTING
PoC
The root cause should be the same as https://github.com/bytecodealliance/wasm-micro-runtime/issues/3561. Can you try modify the code block mentioned in that issue?
Version
Author: Peng Qian messi.qp711@gmail.com Date: Fri Jul 13:11:18 2024
Compile
Reproduce
No ASan Log
ASAN Log
PoC
PoC