Skip to content

heap-buffer-overflow Read in wasm_call #23

New issue
New issue
Open
Open
heap-buffer-overflow Read in wasm_call#23
@haruki3hhh

Description

@haruki3hhh
haruki3hhh
opened on Mar 6, 2024

version

e81176b

compile

make vmir.asan

asan report

root@9dc6ce043bcb:~/Ablation/vmir/crashes# ../vmir.asan id:000029,sig:11,src:000006,op:int8,pos:25,val:+16
=================================================================
==4108641==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000a8 at pc 0x55ef41d18cbe bp 0x7fff4e146b40 sp 0x7fff4e146b30
READ of size 8 at 0x6020000000a8 thread T0
    #0 0x55ef41d18cbd in wasm_call src/vmir_wasm_parser.c:924
    #1 0x55ef41d1a211 in wasm_parse_block src/vmir_wasm_parser.c:1166
    #2 0x55ef41d1aa32 in wasm_parse_section_code src/vmir_wasm_parser.c:1257
    #3 0x55ef41d1c9b3 in wasm_parse_module src/vmir_wasm_parser.c:1422
    #4 0x55ef41d1f1a0 in vmir_load src/vmir.c:920
    #5 0x55ef41c869c9 in main src/main.c:166
    #6 0x7fcc9f474082 in __libc_start_main ../csu/libc-start.c:308
    #7 0x55ef41c85d2d in _start (/root/Ablation/vmir/vmir.asan+0x12d2d)

0x6020000000a8 is located 8 bytes to the left of 11-byte region [0x6020000000b0,0x6020000000bb)
allocated by thread T0 here:
    #0 0x7fcc9f8273ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445
    #1 0x55ef41c96704 in bb_add_named src/vmir_function.c:48
    #2 0x55ef41d19af0 in wasm_parse_block src/vmir_wasm_parser.c:1084
    #3 0x55ef41d1aa32 in wasm_parse_section_code src/vmir_wasm_parser.c:1257
    #4 0x55ef41d1c9b3 in wasm_parse_module src/vmir_wasm_parser.c:1422
    #5 0x55ef41d1f1a0 in vmir_load src/vmir.c:920
    #6 0x55ef41c869c9 in main src/main.c:166
    #7 0x7fcc9f474082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow src/vmir_wasm_parser.c:924 in wasm_call

reproduce

./vmir https://github.com/haruki3hhh/fuzzing/blob/main/vmir/id%3A000029%2Csig%3A11%2Csrc%3A000006%2Cop%3Aint8%2Cpos%3A25%2Cval%3A%2B16

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions