Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[wasmer] index out-of-bound write triggered in wasmer_emscripten::EmscriptenGlobals::new (emscripten_set_up_memory) #678

Closed
pventuzelo opened this issue Aug 14, 2019 · 1 comment · Fixed by #698
Closed

[wasmer] index out-of-bound write triggered in wasmer_emscripten::EmscriptenGlobals::new (emscripten_set_up_memory) #678

pventuzelo opened this issue Aug 14, 2019 · 1 comment · Fixed by #698
Labels
bug Something isn't working 🏆 fuzzer-trophy Bugs found automatically by fuzzers.

Comments

@pventuzelo
Copy link
Contributor

Thanks for the bug report!

Describe the bug

An index out-of-bound issue occurs when emscripten_set_up_memory() function tried to set a value inside memory.view (line 409).
This issue is making wasmer to panicked with the following message:

thread 'main' panicked at 'index out of bounds: the len is 4194304 but the index is 1073741816', lib/emscripten/src/lib.rs:409:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

Vulnerable code

wasmer/lib/emscripten/src/lib.rs

Lines 405 to 410 in 01f1c12

pub fn emscripten_set_up_memory(memory: &Memory, globals: &EmscriptenGlobalsData) {
let dynamictop_ptr = globals.dynamictop_ptr;
let dynamic_base = globals.dynamic_base;
memory.view::<u32>()[(dynamictop_ptr / 4) as usize].set(dynamic_base);
}

Expected behavior

emscripten_set_up_memory should check that (dynamictop_ptr / 4) as usize is not bigger that the memory::view length.

Status of my environment

wasmer version: commit 5239cdb

$ echo "`./target/release/wasmer -V` | `rustc -V` | `uname -m`"
wasmer 0.6.0 | rustc 1.38.0-nightly (ad7c55e1f 2019-08-07) | x86_64

Steps to reproduce

Download index_oob_write_emscripten_set_up_memory.zip

$ unzip index_oob_write_emscripten_set_up_memory.zip
$ wasmer run index_oob_write_emscripten_set_up_memory.wasm
thread 'main' panicked at 'index out of bounds: the len is 4194304 but the index is 1073741816', lib/emscripten/src/lib.rs:409:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

Actual behavior

$ RUST_BACKTRACE=1 ./target/release/wasmer run index_oob_write_emscripten_set_up_memory.wasm

thread 'main' panicked at 'index out of bounds: the len is 4194304 but the index is 1073741816', lib/emscripten/src/lib.rs:409:5
stack backtrace:
   0: backtrace::backtrace::libunwind::trace
             at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.34/src/backtrace/libunwind.rs:88
   1: backtrace::backtrace::trace_unsynchronized
             at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.34/src/backtrace/mod.rs:66
   2: std::sys_common::backtrace::_print
             at src/libstd/sys_common/backtrace.rs:47
   3: std::sys_common::backtrace::print
             at src/libstd/sys_common/backtrace.rs:36
   4: std::panicking::default_hook::{{closure}}
             at src/libstd/panicking.rs:200
   5: std::panicking::default_hook
             at src/libstd/panicking.rs:214
   6: std::panicking::rust_panic_with_hook
             at src/libstd/panicking.rs:477
   7: std::panicking::continue_panic_fmt
             at src/libstd/panicking.rs:384
   8: rust_begin_unwind
             at src/libstd/panicking.rs:311
   9: core::panicking::panic_fmt
             at src/libcore/panicking.rs:85
  10: core::panicking::panic_bounds_check
             at src/libcore/panicking.rs:61
  11: wasmer_emscripten::EmscriptenGlobals::new
  12: wasmer::execute_wasm
  13: wasmer::main
  14: std::rt::lang_start::{{closure}}
  15: std::rt::lang_start_internal::{{closure}}
             at src/libstd/rt.rs:49
  16: std::panicking::try::do_call
             at src/libstd/panicking.rs:296
  17: __rust_maybe_catch_panic
             at src/libpanic_unwind/lib.rs:80
  18: std::panicking::try
             at src/libstd/panicking.rs:275
  19: std::panic::catch_unwind
             at src/libstd/panic.rs:394
  20: std::rt::lang_start_internal
             at src/libstd/rt.rs:48
  21: main
  22: __libc_start_main
  23: _start
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Additional context

The wasm module attached is a valid module.

$ wasm-validate index_oob_write_emscripten_set_up_memory.wasm
$
@pventuzelo pventuzelo added the bug Something isn't working label Aug 14, 2019
@pventuzelo
Copy link
Contributor Author

TODO: tag with fuzzer-trophy

@bjfish bjfish added the 🏆 fuzzer-trophy Bugs found automatically by fuzzers. label Aug 14, 2019
@bjfish bjfish mentioned this issue Aug 19, 2019
Merged
@bors bors bot closed this as completed in b125517 Aug 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working 🏆 fuzzer-trophy Bugs found automatically by fuzzers.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix issue with emscripten memory out of range wasmerio/wasmer
2 participants
@bjfish @pventuzelo