Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[wasmer] index out of bounds in LocalBacking::[validate_memories, validate_tables] #800

Closed
pventuzelo opened this issue Sep 16, 2019 · 2 comments
Closed

[wasmer] index out of bounds in LocalBacking::[validate_memories, validate_tables] #800

pventuzelo opened this issue Sep 16, 2019 · 2 comments
Labels
bug Something isn't working 🏆 fuzzer-trophy Bugs found automatically by fuzzers.

Comments

@pventuzelo
Copy link
Contributor

Describe the bug

An index out-of-bound panic occurs inside 2 functions:

  • validate_memories (line 152)
  • validate_tables (line 276).

This issue is making wasmer to panicked with the following message:

thread 'main' panicked at 'index out of bounds: the len is 0 but the index is 0', lib/runtime-core/src/structures/slice.rs:58:10
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

wasmer/lib/runtime-core/src/backing.rs

Lines 151 to 159 in 9068777

Initializer::GetGlobal(import_global_index) => {
if let Value::I32(x) = imports.globals[import_global_index].get() {
x as u32
} else {
return Err(vec![LinkError::Generic {
message: "unsupported global type for initializer".to_string(),
}]);
}
}

wasmer/lib/runtime-core/src/backing.rs

Lines 275 to 283 in 9068777

Initializer::GetGlobal(import_global_index) => {
if let Value::I32(x) = imports.globals[import_global_index].get() {
x as u32
} else {
return Err(vec![LinkError::Generic {
message: "unsupported global type for initializer".to_string(),
}]);
}
}

PLEASE NOTE: this vulnerable pattern is also in finalize_memories and finalize_tables functions

wasmer/lib/runtime-core/src/backing.rs

Lines 207 to 215 in 9068777

Initializer::GetGlobal(import_global_index) => {
if let Value::I32(x) = imports.globals[import_global_index].get() {
x as u32
} else {
return Err(vec![LinkError::Generic {
message: "unsupported global type for initializer".to_string(),
}]);
}
}

wasmer/lib/runtime-core/src/backing.rs

Lines 328 to 336 in 9068777

Initializer::GetGlobal(import_global_index) => {
if let Value::I32(x) = imports.globals[import_global_index].get() {
x as u32
} else {
return Err(vec![LinkError::Generic {
message: "unsupported global type for initializer".to_string(),
}]);
}
}

Status of my environment

wasmer version: commit 9068777

Steps to reproduce

Download index_oob_LocalBacking_validate_memories_152.zip
Download index_oob_LocalBacking_validate_tables_276.zip

$ unzip index_oob_LocalBacking_validate_tables_276.zip
$ unzip index_oob_LocalBacking_validate_memories_152.zip
$ ./target/release/wasmer run index_oob_LocalBacking_validate_tables_276.wasm
thread 'main' panicked at 'index out of bounds: the len is 0 but the index is 0', lib/runtime-core/src/structures/slice.rs:58:10
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.
$ ./target/release/wasmer run index_oob_LocalBacking_validate_memories_152.wasm
thread 'main' panicked at 'index out of bounds: the len is 0 but the index is 0', lib/runtime-core/src/structures/slice.rs:58:10
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

Expected behavior

wasmer should check if import_global_index is a valid index
i.e. superior to zero and inferior to imports.globals.len() before retrieving value using imports.globals[import_global_index].get()

Actual behavior [LocalBacking::validate_tables]

wasmer have been compile with make debug (look line 12).

RUST_BACKTRACE=full ./target/debug/wasmer run index_oob_LocalBacking_validate_tables_276.wasm 
thread 'main' panicked at 'index out of bounds: the len is 0 but the index is 0', lib/runtime-core/src/structures/slice.rs:58:10
stack backtrace:
   0:     0x5614b332d52b - backtrace::backtrace::libunwind::trace::hff97bfcead72480f
                               at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.34/src/backtrace/libunwind.rs:88
   1:     0x5614b332d52b - backtrace::backtrace::trace_unsynchronized::h4231baf22f182898
                               at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.34/src/backtrace/mod.rs:66
   2:     0x5614b332d52b - std::sys_common::backtrace::_print::hf2eec1b602be6e4a
                               at src/libstd/sys_common/backtrace.rs:47
   3:     0x5614b332d52b - std::sys_common::backtrace::print::h3c05932b3a210ff4
                               at src/libstd/sys_common/backtrace.rs:36
   4:     0x5614b332d52b - std::panicking::default_hook::{{closure}}::h1c5cd09b94d2c1df
                               at src/libstd/panicking.rs:200
   5:     0x5614b332d206 - std::panicking::default_hook::h2b75a4d054e04673
                               at src/libstd/panicking.rs:214
   6:     0x5614b332dc9d - std::panicking::rust_panic_with_hook::h1d25d81b1bd8da6d
                               at src/libstd/panicking.rs:477
   7:     0x5614b332d822 - std::panicking::continue_panic_fmt::h7a47470ea395499b
                               at src/libstd/panicking.rs:384
   8:     0x5614b332d706 - rust_begin_unwind
                               at src/libstd/panicking.rs:311
   9:     0x5614b334de4d - core::panicking::panic_fmt::hd9d0dd8bf108819d
                               at src/libcore/panicking.rs:85
  10:     0x5614b334de05 - core::panicking::panic_bounds_check::habdb5715ccfae412
                               at src/libcore/panicking.rs:61
  11:     0x5614b2eac26c - <wasmer_runtime_core::structures::slice::SliceMap<K,V> as core::ops::index::Index<K>>::index::hb45f1ca4fc4febde
                               at lib/runtime-core/src/structures/slice.rs:58
  12:     0x5614b2f379d3 - wasmer_runtime_core::backing::LocalBacking::validate_tables::h05ec0619201aa7f3
                               at lib/runtime-core/src/backing.rs:276
  13:     0x5614b2f350dc - wasmer_runtime_core::backing::LocalBacking::new::h5edf63a67d9c0378
                               at lib/runtime-core/src/backing.rs:76
  14:     0x5614b2e83e7c - wasmer_runtime_core::instance::Instance::new::h0def3615978a2203
                               at lib/runtime-core/src/instance.rs:58
  15:     0x5614b2f43d70 - wasmer_runtime_core::module::Module::instantiate::h98595d06035f7680
                               at lib/runtime-core/src/module.rs:120
  16:     0x5614b259f0a2 - wasmer::execute_wasm::h6d0e0348ab4532b9
                               at src/bin/wasmer.rs:657
  17:     0x5614b25a074e - wasmer::run::hf6c9dd42e07852fc
                               at src/bin/wasmer.rs:752
  18:     0x5614b25a1268 - wasmer::main::hc6289d8584db17a3
                               at src/bin/wasmer.rs:820
  19:     0x5614b25b1780 - std::rt::lang_start::{{closure}}::h9b7c8d3b519850eb
                               at /rustc/ad7c55e1fc55d9af4787b285cec1c64e3480ae84/src/libstd/rt.rs:64
  20:     0x5614b332d6a3 - std::rt::lang_start_internal::{{closure}}::hbe8b707fb988da1d
                               at src/libstd/rt.rs:49
  21:     0x5614b332d6a3 - std::panicking::try::do_call::h69d76f3c2b2049fb
                               at src/libstd/panicking.rs:296
  22:     0x5614b3335d1a - __rust_maybe_catch_panic
                               at src/libpanic_unwind/lib.rs:80
  23:     0x5614b332e26d - std::panicking::try::hae631ae41236f8fd
                               at src/libstd/panicking.rs:275
  24:     0x5614b332e26d - std::panic::catch_unwind::heea0533a2e599e6d
                               at src/libstd/panic.rs:394
  25:     0x5614b332e26d - std::rt::lang_start_internal::h571a3f440066b3da
                               at src/libstd/rt.rs:48
  26:     0x5614b25b1759 - std::rt::lang_start::h013e3ed8d33e7f73
                               at /rustc/ad7c55e1fc55d9af4787b285cec1c64e3480ae84/src/libstd/rt.rs:64
  27:     0x5614b25a4f3a - main
  28:     0x7fb9faae3b97 - __libc_start_main
  29:     0x5614b258864a - _start
  30:                0x0 - <unknown>

Actual behavior [LocalBacking::validate_memories]

wasmer have been compile with make debug (look line 12).

RUST_BACKTRACE=full ./target/debug/wasmer run index_oob_LocalBacking_validate_memories_152.wasm 
thread 'main' panicked at 'index out of bounds: the len is 0 but the index is 0', lib/runtime-core/src/structures/slice.rs:58:10
stack backtrace:
   0:     0x55a475f6b52b - backtrace::backtrace::libunwind::trace::hff97bfcead72480f
                               at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.34/src/backtrace/libunwind.rs:88
   1:     0x55a475f6b52b - backtrace::backtrace::trace_unsynchronized::h4231baf22f182898
                               at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.34/src/backtrace/mod.rs:66
   2:     0x55a475f6b52b - std::sys_common::backtrace::_print::hf2eec1b602be6e4a
                               at src/libstd/sys_common/backtrace.rs:47
   3:     0x55a475f6b52b - std::sys_common::backtrace::print::h3c05932b3a210ff4
                               at src/libstd/sys_common/backtrace.rs:36
   4:     0x55a475f6b52b - std::panicking::default_hook::{{closure}}::h1c5cd09b94d2c1df
                               at src/libstd/panicking.rs:200
   5:     0x55a475f6b206 - std::panicking::default_hook::h2b75a4d054e04673
                               at src/libstd/panicking.rs:214
   6:     0x55a475f6bc9d - std::panicking::rust_panic_with_hook::h1d25d81b1bd8da6d
                               at src/libstd/panicking.rs:477
   7:     0x55a475f6b822 - std::panicking::continue_panic_fmt::h7a47470ea395499b
                               at src/libstd/panicking.rs:384
   8:     0x55a475f6b706 - rust_begin_unwind
                               at src/libstd/panicking.rs:311
   9:     0x55a475f8be4d - core::panicking::panic_fmt::hd9d0dd8bf108819d
                               at src/libcore/panicking.rs:85
  10:     0x55a475f8be05 - core::panicking::panic_bounds_check::habdb5715ccfae412
                               at src/libcore/panicking.rs:61
  11:     0x55a475aea26c - <wasmer_runtime_core::structures::slice::SliceMap<K,V> as core::ops::index::Index<K>>::index::hb45f1ca4fc4febde
                               at lib/runtime-core/src/structures/slice.rs:58
  12:     0x55a475b74479 - wasmer_runtime_core::backing::LocalBacking::validate_memories::hb1f4f12a026b3360
                               at lib/runtime-core/src/backing.rs:152
  13:     0x55a475b72f05 - wasmer_runtime_core::backing::LocalBacking::new::h5edf63a67d9c0378
                               at lib/runtime-core/src/backing.rs:75
  14:     0x55a475ac1e7c - wasmer_runtime_core::instance::Instance::new::h0def3615978a2203
                               at lib/runtime-core/src/instance.rs:58
  15:     0x55a475b81d70 - wasmer_runtime_core::module::Module::instantiate::h98595d06035f7680
                               at lib/runtime-core/src/module.rs:120
  16:     0x55a4751dd0a2 - wasmer::execute_wasm::h6d0e0348ab4532b9
                               at src/bin/wasmer.rs:657
  17:     0x55a4751de74e - wasmer::run::hf6c9dd42e07852fc
                               at src/bin/wasmer.rs:752
  18:     0x55a4751df268 - wasmer::main::hc6289d8584db17a3
                               at src/bin/wasmer.rs:820
  19:     0x55a4751ef780 - std::rt::lang_start::{{closure}}::h9b7c8d3b519850eb
                               at /rustc/ad7c55e1fc55d9af4787b285cec1c64e3480ae84/src/libstd/rt.rs:64
  20:     0x55a475f6b6a3 - std::rt::lang_start_internal::{{closure}}::hbe8b707fb988da1d
                               at src/libstd/rt.rs:49
  21:     0x55a475f6b6a3 - std::panicking::try::do_call::h69d76f3c2b2049fb
                               at src/libstd/panicking.rs:296
  22:     0x55a475f73d1a - __rust_maybe_catch_panic
                               at src/libpanic_unwind/lib.rs:80
  23:     0x55a475f6c26d - std::panicking::try::hae631ae41236f8fd
                               at src/libstd/panicking.rs:275
  24:     0x55a475f6c26d - std::panic::catch_unwind::heea0533a2e599e6d
                               at src/libstd/panic.rs:394
  25:     0x55a475f6c26d - std::rt::lang_start_internal::h571a3f440066b3da
                               at src/libstd/rt.rs:48
  26:     0x55a4751ef759 - std::rt::lang_start::h013e3ed8d33e7f73
                               at /rustc/ad7c55e1fc55d9af4787b285cec1c64e3480ae84/src/libstd/rt.rs:64
  27:     0x55a4751e2f3a - main
  28:     0x7f35a4b21b97 - __libc_start_main
  29:     0x55a4751c664a - _start
  30:                0x0 - <unknown>
@pventuzelo pventuzelo added the bug Something isn't working label Sep 16, 2019
@pventuzelo
Copy link
Contributor Author

TODO: add fuzzer-trophy tag

@nlewycky nlewycky added the 🏆 fuzzer-trophy Bugs found automatically by fuzzers. label Sep 17, 2019
@pventuzelo pventuzelo mentioned this issue Sep 18, 2019
Merged
1 task
bors bot added a commit that referenced this issue Sep 25, 2019
@bors @pventuzelo
Merge #809
231b1c2 
809: Fix issue 800 - check index before accessing imports.globals r=syrusakbary a=pventuzelo

# Description

Fix issue #800 

* Check if `import_global_index` is valid i.e inside imports.globals range. 
* Related functions: 
  * validate_memories
  * validate_tables
  * finalize_memories
  * finalize_tables

# After the fix

``` sh
$ ./target/release/wasmer run index_oob_LocalBacking_validate_memories_152.wasm
execute_wasm: "Can\'t instantiate module: LinkError([Generic { message: \"incorrect global index for initializer\" }])"
--------------------------------------------------------------------------------------------------------
$ ./target/release/wasmer run index_oob_LocalBacking_validate_tables_276.wasm 
execute_wasm: "Can\'t instantiate module: LinkError([Generic { message: \"incorrect global index for initializer\" }])"
```

# Review

- [x] Create a short description of the the change in the CHANGELOG.md file


Co-authored-by: Patrick Ventuzelo <ventuzelo.patrick@gmail.com>
Co-authored-by: Patrick Ventuzelo <9038181+pventuzelo@users.noreply.github.com>
@pventuzelo
Copy link
Contributor Author

Fixed and merged in master: 231b1c2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working 🏆 fuzzer-trophy Bugs found automatically by fuzzers.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nlewycky @pventuzelo