Headline
CVE-2023-46331: Out-of-Bound Memory Read in DataSegment::IsValidRange() · Issue #2310 · WebAssembly/wabt
WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegment::IsValidRange(), which lead to segmentation fault.
Environment
OS : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux Commit : 0e78c24fd231d5ee67ccd271bfa317faa963281c Version : 1.0.33 (git~1.0.33-35-gdddc03d3) Clang Verison : 12.0.1 Build : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" && cmake … && cmake --build . Affected Tool : wasm-interp Enabled Features : None Impact : Out-of-Bound Memory Read Access
Proof of Concept
poc-wasm-interp-01.zip
Stack Trace Provide By AddressSanitizer
$ ~/wabt_asan/bin/wasm-interp poc.wasm AddressSanitizer:DEADLYSIGNAL ================================================================= ==3549==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000064a0fe bp 0x7ffcceb61670 sp 0x7ffcceb61640 T0) ==3549==The signal is caused by a READ memory access. ==3549==Hint: address points to the zero page. #0 0x64a0fe in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const /home/lain/wabt_asan/src/interp/interp.cc:734:19 #1 0x649cd7 in wabt::interp::Memory::Init(unsigned long, wabt::interp::DataSegment const&, unsigned long, unsigned long) /home/lain/wabt_asan/src/interp/interp.cc:617:11 #2 0x666cb4 in wabt::interp::Thread::DoMemoryInit(wabt::interp::Instr, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:2075:3 #3 0x65b199 in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:1510:32 #4 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:1086:19 #5 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:1078:14 #6 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:428:19 #7 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*, wabt::Stream*) /home/lain/wabt_asan/src/interp/interp.cc:394:10 #8 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:944:22 #9 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>*) /home/lain/wabt_asan/src/tools/wasm-interp.cc:340:19 #10 0x562e82 in ReadAndRunModule(char const*) /home/lain/wabt_asan/src/tools/wasm-interp.cc:423:3 #11 0x561f67 in ProgramMain(int, char**) /home/lain/wabt_asan/src/tools/wasm-interp.cc:450:25 #12 0x563191 in main /home/lain/wabt_asan/src/tools/wasm-interp.cc:456:10 #13 0x7f9f8fa00082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/…/csu/libc-start.c:308:16 #14 0x4845ed in _start (/home/lain/wabt_asan/bin/wasm-interp+0x4845ed)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/lain/wabt_asan/src/interp/interp.cc:734:19 in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const ==3549==ABORTING