Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid Read Memory in wabt::interp #2431

Open
Messi-Q opened this issue Jun 19, 2024 · 1 comment · May be fixed by #2432
Open

Invalid Read Memory in wabt::interp #2431

Messi-Q opened this issue Jun 19, 2024 · 1 comment · May be fixed by #2432

Comments

@Messi-Q
Copy link

Messi-Q commented Jun 19, 2024
edited
Loading

Version

commit 4beb525
Author: Peng Qian messi.qp711@gmail.com
Date: Wen Jun 10:48:12 2024

Compile

cd wabt
mkdir build
cd build 
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" ..
make

Reproduce

./wasm-interp id:000008,sig:11,src:003840,op:havoc,rep:2

ASAN Log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1084839==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x562656e0b4a1 bp 0x7ffc49ce8f90 sp 0x7ffc49ce8f60 T0)
==1084839==The signal is caused by a READ memory access.
==1084839==Hint: address points to the zero page.
    #0 0x562656e0b4a0 in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:734
    #1 0x562656e098aa in wabt::interp::Memory::Init(unsigned long, wabt::interp::DataSegment const&, unsigned long, unsigned long) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:617
    #2 0x562656e1e4fd in wabt::interp::Thread::DoMemoryInit(wabt::interp::Instr, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:2091
    #3 0x562656e179d8 in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:1526
    #4 0x562656e12a69 in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:1094
    #5 0x562656e12911 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:1086
    #6 0x562656e06de6 in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:428
    #7 0x562656e067be in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*, wabt::Stream*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:394
    #8 0x562656e10021 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:952
    #9 0x562656d3c22f in InstantiateModule /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/tools/wasm-interp.cc:340
    #10 0x562656d3c797 in ReadAndRunModule /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/tools/wasm-interp.cc:423
    #11 0x562656d3cbe0 in ProgramMain(int, char**) /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/tools/wasm-interp.cc:450
    #12 0x562656d3cc92 in main /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/tools/wasm-interp.cc:456
    #13 0x7f5648576082 in __libc_start_main ../csu/libc-start.c:308
    #14 0x562656d3825d in _start (/home/peng/Documents/all_wasm_vm/new_version_test/wabt/build/wasm-interp+0x5325d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/peng/Documents/all_wasm_vm/new_version_test/wabt/src/interp/interp.cc:734 in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const
==1084839==ABORTING

PoC

PoC
@SoniEx2
Copy link
Contributor

SoniEx2 commented Jun 19, 2024
edited
Loading

minified:

;;; TOOL: run-gen-wasm-interp
magic
version
section(TYPE) { count[1] function params[0] results[0] }
section(FUNCTION) { count[1] type[0] }
section(MEMORY) { count[1] flags[0] min[1] }
section(START) { start_function[0] }
section(DATACOUNT) { count[1] }
section(CODE) {
  count[1]
  func {
    locals[0]
    i32.const value[0]
    i32.const value[0]
    i32.const value[0]
    memory.init dataidx[0] memidx[0]
  }
}

SoniEx2 added a commit to SoniEx2/wasm2kotlin that referenced this issue Jun 19, 2024
@SoniEx2
Add test for WebAssembly#2431, mark as broken/skip for now
24b593a
SoniEx2 added a commit to SoniEx2/wasm2kotlin that referenced this issue Jun 19, 2024
@SoniEx2
Add test for WebAssembly#2431, mark as broken/skip for now
0c267b3
SoniEx2 added a commit to SoniEx2/wasm2kotlin that referenced this issue Jun 19, 2024
@SoniEx2
Add test for WebAssembly#2431, mark as broken/skip for now
85758a6
SoniEx2 added a commit to SoniEx2/wasm2kotlin that referenced this issue Jun 19, 2024
@SoniEx2
Add test for WebAssembly#2431, mark as broken/skip for now
b1cff99
@tianstcht tianstcht mentioned this issue Jun 27, 2024
Open
@SoniEx2 SoniEx2 linked a pull request Sep 12, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix handling of data count without data section SoniEx2/wasm2kotlin
2 participants
@SoniEx2 @Messi-Q