NULL Pointer Dereference in block_type_get_result_types #3130

haruki3hhh · 2024-02-05T00:17:58Z

Version

commit 06df58f (HEAD -> main, origin/main, origin/HEAD)

Compile

cd wasm-micro-runtime/product-mini/platforms/linux/
cmake -DCMAKE_C_COMPILER="gcc" -DCMAKE_C_FLAGS="-g -fsanitize=address -fno-omit-frame-pointer" -DCMAKE_LINKER_FLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ..
make -j

ASAN Log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==866714==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x565157bc383f bp 0x7ffe6cfb60d0 sp 0x7ffe6cfb5f90 T0)
==866714==The signal is caused by a READ memory access.
==866714==Hint: address points to the zero page.
    #0 0x565157bc383e in block_type_get_result_types /root/wasm-micro-runtime/core/iwasm/interpreter/wasm.h:875
    #1 0x565157bc383e in block_type_get_result_types /root/wasm-micro-runtime/core/iwasm/interpreter/wasm.h:863
    #2 0x565157bc383e in wasm_loader_check_br /root/wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:7092
    #3 0x565157bc383e in check_branch_block /root/wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:7143
    #4 0x565157bd0a73 in wasm_loader_prepare_bytecode /root/wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:8127
    #5 0x565157bd0a73 in load_from_sections /root/wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:3852
    #6 0x565157bdf654 in load /root/wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:4215
    #7 0x565157bdf654 in wasm_loader_load /root/wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:4391
    #8 0x565157b5571c in main /root/wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:885
    #9 0x7f54f8c2a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #10 0x565157b56b4d in _start (/root/wasm-micro-runtime/product-mini/platforms/linux/build_asan/iwasm+0x22b4d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/wasm-micro-runtime/core/iwasm/interpreter/wasm.h:875 in block_type_get_result_types
==866714==ABORTING

Reproduce

./iwasm /root/wasm-fuzz-instruction/fuzz_out/crashes/id\:000000\,sig\:06\,src\:028368\,op\:python\,pos\:0

PoC

The text was updated successfully, but these errors were encountered:

wenyongh · 2024-02-05T07:42:56Z

@haruki3hhh Thanks for reporting this issue! I submitted PR #3133 to fix it, please try again.

Checking with `loader_ctx->csp_num < depth + 1` has potential integer overflow issue when depth is UINT_MAX, change to `loader_ctx->csp_num - 1 < depth` instead. Reported in #3130.

wenyongh · 2024-03-15T02:08:30Z

Close this issue since it was resolved.

…lliance#3133) Checking with `loader_ctx->csp_num < depth + 1` has potential integer overflow issue when depth is UINT_MAX, change to `loader_ctx->csp_num - 1 < depth` instead. Reported in bytecodealliance#3130.

wenyongh mentioned this issue Feb 5, 2024

Fix possible integer overflow in loader target block check #3133

Merged

wenyongh added bug Something isn't working fixed wasm loader labels Mar 14, 2024

wenyongh closed this as completed Mar 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NULL Pointer Dereference in block_type_get_result_types #3130

NULL Pointer Dereference in block_type_get_result_types #3130

haruki3hhh commented Feb 5, 2024

wenyongh commented Feb 5, 2024

wenyongh commented Mar 15, 2024

NULL Pointer Dereference in block_type_get_result_types #3130

NULL Pointer Dereference in block_type_get_result_types #3130

Comments

haruki3hhh commented Feb 5, 2024

Version

Compile

ASAN Log

Reproduce

PoC

wenyongh commented Feb 5, 2024

wenyongh commented Mar 15, 2024