Out of bounds memory access in wasm_interp_fast

[Messi-Q]

Version

Author: Peng Qian messi.qp711@gmail.com Date: Fri Jul 13:11:18 2024

Compile

cd wasm-micro-runtime/product-mini/platforms/linux
mkdir build
cd build 
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address" -DWAMR_BUILD_INTERP=1 -DWAMR_BUILD_FAST_INTERP=1 ..
make

mkdir build-no-asan
cd build-no-asan
cmake -DWAMR_BUILD_INTERP=1 -DWAMR_BUILD_FAST_INTERP=1 ..
make

Reproduce

./iwasm id:000211,sig:06,src:000376,op:python,pos:0

No ASan Log

<= : 91.515296%  84540
 > : 8.484704%  7838
Exception: out of bounds memory access

ASAN Log

=================================================================
==3984028==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff47a80350 at pc 0x7fedd5527a6a bp 0x7fff47a80310 sp 0x7fff47a7fab8
WRITE of size 128 at 0x7fff47a80350 thread T0
    #0 0x7fedd5527a69 in __interceptor_sigemptyset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:3959
    #1 0x5611196970cb in mask_signals /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/shared/platform/common/posix/posix_thread.c:580
    #2 0x56111964862a in call_wasm_with_hw_bound_check /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3390
    #3 0x56111964af64 in wasm_call_function /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3417
    #4 0x56111963b8d0 in wasm_runtime_call_wasm /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:2426
    #5 0x561119632f9c in execute_main /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/common/wasm_application.c:126
    #6 0x561119632f9c in wasm_application_execute_main /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/common/wasm_application.c:285
    #7 0x56111962cb00 in app_instance_main /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:119
    #8 0x56111962cb00 in main /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:995
    #9 0x7fedd51a7082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x56111962e2ed in _start (/home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/product-mini/platforms/linux/build-fast/iwasm+0x232ed)

Address 0x7fff47a80350 is located in stack of thread T0 at offset 160 in frame
    #0 0x56111971573f in wasm_interp_call_wasm /home/peng/Documents/all_wasm_vm/new_version_test/20240627/wasm-micro-runtime/core/iwasm/interpreter/wasm_interp_fast.c:6087

  This frame has 1 object(s):
    [32, 160) 'buf' (line 6106) <== Memory access at offset 160 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:3959 in __interceptor_sigemptyset
Shadow bytes around the buggy address:
  0x100068f48010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100068f48020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100068f48030: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 01 f3
  0x100068f48040: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100068f48050: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
=>0x100068f48060: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00
  0x100068f48070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100068f48080: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00
  0x100068f48090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100068f480a0: 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x100068f480b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3984028==ABORTING

PoC

PoC

[TianlongLiang]

The root cause should be the same as https://github.com/bytecodealliance/wasm-micro-runtime/issues/3561. Can you try modify the code block mentioned in that issue?