Headline

CVE-2023-31670: Certain wasm binary causes `wasm2wat`, `wasm2c`, `wasm-decompile`, and `wasm-validate` to crash. · Issue #2199 · WebAssembly/wabt

An issue in wasm2c 1.0.32, wasm2wat 1.0.32, wasm-decompile 1.0.32, and wasm-validate 1.0.32 allows attackers to cause a Denial of Service (DoS) via running a crafted binary.

1 year ago

CVE

Open in Source

#web #dos #git

Describe the bug

Certain wasm binary causes wasm2wat, wasm2c, wasm-decompile, and wasm-validate to crash.

–version (for all of them): 1.0.32 (git~1.0.32-57-gad5f1385)

Steps to reproduce

The following wasm module causes a crash:
crash.wasm.txt (Remove .txt extension and save as .wasm)

Install and build WABT
Run wasm2c, wasm2wat, wasm-decompile and wasm-validate on the test file: crash.wasm
Observe the crash:

Assertion failed: (!empty()), function back, file intrusive-list.h, line 400.
zsh: abort      ./wabt/bin/wasm2c crash.wasm



wasm-validate: /path/to/wabt/include/wabt/intrusive-list.h:400: wabt::intrusive_list<T>::value_type& wabt::intrusive_list<T>::back() [with T = wabt::Expr; wabt::intrusive_list<T>::reference = wabt::Expr&]: Assertion `!empty()' failed.
Aborted

Expected behavior:

Expected behavior should be an error like the one wasm-interp provides:

wasm-interp crash.wasm:

crash.wasm:0000038: error: invalid initializer: instruction not valid in initializer expression: unreachable
0000038: error: OnUnreachableExpr callback failed

Because the tools crashed I could not analyze deeper to find the root cause.
wasm-objdump -d crash.wasm:

000065 func[1]:
 000066: 01 7f                      | local[0] type=i32
 000068: 01 7e                      | local[1] type=i64
 00006a: 01 7d                      | local[2] type=f32
 00006c: 01 7c                      | local[3] type=f64
 00006e: 01 7f                      | local[4] type=i32
 000070: 41 b0 03                   | i32.const 432
 000073: 2d 00 41                   | i32.load8_u 0 65
 000076: 64                         | f64.gt
 000077: fd 48                      | f64x2.ne
 000079: 48                         | i32.lt_s
 00007a: 48                         | i32.lt_s
 00007b: 48                         | i32.lt_s
 00007c: 48                         | i32.lt_s
 00007d: 48                         | i32.lt_s
 00007e: 48                         | i32.lt_s
 00007f: 48                         | i32.lt_s
 000080: 48                         | i32.lt_s
 000081: 48                         | i32.lt_s
 000082: 48                         | i32.lt_s
 000083: b7                         | f64.convert_i32_s
 000084: 48                         | i32.lt_s
 000085: 48                         | i32.lt_s
 000086: 8d                         | f32.ceil
 000087: 48                         | i32.lt_s
 000088: 48                         | i32.lt_s
 000089: 48                         | i32.lt_s
 00008a: 48                         | i32.lt_s
 00008b: 48                         | i32.lt_s
 00008c: aa                         | i32.trunc_f64_s
 00008d: 71                         | i32.and
 00008e: bc                         | i32.reinterpret_f32
 00008f: 0b                         | end

Additional information

A combination of afl-fuzz++4.03a and Wasmlike, an Xsmith-based random program generator produced the wasm module that caused the crash.