Headline
CVE-2023-46332: Out-of-Bound Memory Write in DataSegment::Drop() · Issue #2311 · WebAssembly/wabt
WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataSegment::Drop(), which lead to segmentation fault.
Environment
OS : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux Commit : 0e78c24fd231d5ee67ccd271bfa317faa963281c Version : 1.0.33 (git~1.0.33-35-gdddc03d3) Clang Verison : 12.0.1 Build : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" && cmake … && cmake --build . Affected Tool : wasm-interp Enabled Features : None Impact : Out-of-Bound Memory Write Access
Proof of Concept
poc-wasm-interp-02.zip
Stack Trace Provide By AddressSanitizer
$ ~/wabt_asan/bin/wasm-interp poc.wasm AddressSanitizer:DEADLYSIGNAL ================================================================= ==3641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000067f426 bp 0x7ffd04e28310 sp 0x7ffd04e28300 T0) ==3641==The signal is caused by a WRITE memory access. ==3641==Hint: address points to the zero page. #0 0x67f426 in wabt::interp::DataSegment::Drop() /home/lain/wabt_asan/include/wabt/interp/interp-inl.h:906:9 #1 0x6670be in wabt::interp::Thread::DoDataDrop(wabt::interp::Instr) /home/lain/wabt_asan/src/interp/interp.cc:2081:33 #2 0x65b29a in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:1511:32 #3 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:1086:19 #4 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:1078:14 #5 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:428:19 #6 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>*, wabt::Stream*) /home/lain/wabt_asan/src/interp/interp.cc:394:10 #7 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>*) /home/lain/wabt_asan/src/interp/interp.cc:944:22 #8 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>*) /home/lain/wabt_asan/src/tools/wasm-interp.cc:340:19 #9 0x562e82 in ReadAndRunModule(char const*) /home/lain/wabt_asan/src/tools/wasm-interp.cc:423:3 #10 0x561f67 in ProgramMain(int, char**) /home/lain/wabt_asan/src/tools/wasm-interp.cc:450:25 #11 0x563191 in main /home/lain/wabt_asan/src/tools/wasm-interp.cc:456:10 #12 0x7f77c7bdc082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/…/csu/libc-start.c:308:16 #13 0x4845ed in _start (/home/lain/wabt_asan/bin/wasm-interp+0x4845ed)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/lain/wabt_asan/include/wabt/interp/interp-inl.h:906:9 in wabt::interp::DataSegment::Drop() ==3641==ABORTING