Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27115: SEGV in wabt::cat_compute_size · Issue #1992 · WebAssembly/wabt

WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt::cat_compute_size.

CVE
Open in Source
#web#ubuntu#linux#c++

Environment

OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : 3054d61f703d609995798f872fc86b462617c294
Version : 1.0.29
Build   : make clang-debug-asan

Proof of concept

poc-5.wasm.zip

Stack dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1681910==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f858ec47234 bp 0x7ffce2314ff0 sp 0x7ffce2314ef8 T0)
==1681910==The signal is caused by a READ memory access.
==1681910==Hint: address points to the zero page.
    #0 0x7f858ec47234 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::operator std::basic_string_view<char, std::char_traits<char>>() const (/lib/x86_64-linux-gnu/libstdc++.so.6+0x186234)
    #1 0x61d4eb in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:27
    #2 0x61d39d in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:39
    #3 0x61d235 in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:39
    #4 0x61d005 in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:39
    #5 0x60f57f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> wabt::cat<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:75:13
    #6 0x5d137d in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:530:20
    #7 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
    #8 0x5c30b4 in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:825:20
    #9 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
    #10 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
    #11 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
    #12 0x7f858e754082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x43f04d in _start (/wabt/out/clang/Debug/asan/wasm-decompile+0x43f04d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x186234) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::operator std::basic_string_view<char, std::char_traits<char>>() const
==1681910==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE