Headline
CVE-2022-39974: SEGV wasm3/source/m3_exec.h:1078 in op_Select_i32_srs · Issue #379 · wasm3/wasm3
WASM3 v0.5.0 was discovered to contain a segmentation fault via the component op_Select_i32_srs in wasm3/source/m3_exec.h.
Gdb info
Program received signal SIGSEGV, Segmentation fault.
0x00005555555bbf69 in op_Select_i32_srs (_pc=0x62d0000004c0, _sp=0x631000000800, _mem=0x631000014800, _r0=3840, _fp0=1) at /home/ios/CVE/wasm3/source/m3_exec.h:1078
1078 d_m3Select_i (i32, _r0)
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────
RAX 0x6311556fa980 ◂— 0x0
RBX 0x7fffffffcfa0 ◂— 0x41b58ab3
RCX 0x6311556fa980 ◂— 0x0
RDX 0x0
RDI 0x3
RSI 0x631000000800 ◂— 0x1000000000000
R8 0x5555555bbe20 (op_Select_i32_srs) ◂— endbr64
R9 0x3
R10 0x555555666940 ◂— 0x74726174735f /* '_start' */
R11 0x0
R12 0xffffffff9f4 ◂— 0x0
R13 0x7fffffffcfa0 ◂— 0x41b58ab3
R14 0x7fffffffd340 ◂— 0x41b58ab3
R15 0x0
RBP 0x7fffffffcea0 —▸ 0x7fffffffcef0 —▸ 0x7fffffffcf40 —▸ 0x7fffffffd020 —▸ 0x7fffffffd100 ◂— ...
RSP 0x7fffffffce60 —▸ 0xaffffcf20 ◂— 0x0
RIP 0x5555555bbf69 (op_Select_i32_srs+329) ◂— mov eax, dword ptr [rcx]
────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────
► 0x5555555bbf69 <op_Select_i32_srs+329> mov eax, dword ptr [rcx]
0x5555555bbf6b <op_Select_i32_srs+331> mov dword ptr [rbp - 4], eax
0x5555555bbf6e <op_Select_i32_srs+334> cmp dword ptr [rbp - 0xc], 0
0x5555555bbf72 <op_Select_i32_srs+338> je op_Select_i32_srs+347 <op_Select_i32_srs+347>
0x5555555bbf74 <op_Select_i32_srs+340> mov eax, dword ptr [rbp - 4]
0x5555555bbf77 <op_Select_i32_srs+343> cdqe
0x5555555bbf79 <op_Select_i32_srs+345> jmp op_Select_i32_srs+352 <op_Select_i32_srs+352>
↓
0x5555555bbf80 <op_Select_i32_srs+352> mov qword ptr [rbp - 0x30], rax
0x5555555bbf84 <op_Select_i32_srs+356> mov rax, qword ptr [rbp - 0x18]
0x5555555bbf88 <op_Select_i32_srs+360> mov rdx, rax
0x5555555bbf8b <op_Select_i32_srs+363> shr rdx, 3
─────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────
In file: /home/ios/CVE/wasm3/source/m3_exec.h
1073 \
1074 nextOp (); \
1075 }
1076
1077
► 1078 d_m3Select_i (i32, _r0)
1079 d_m3Select_i (i64, _r0)
1080
1081
1082 #define d_m3Select_f(TYPE, REG, LABEL, SELECTOR) \
1083 d_m3Op (Select_##TYPE##_##LABEL##ss) \
─────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffce60 —▸ 0xaffffcf20 ◂— 0x0
01:0008│ 0x7fffffffce68 ◂— 0x3ff0000000000000
02:0010│ 0x7fffffffce70 ◂— 0xf00
03:0018│ 0x7fffffffce78 —▸ 0x631000014800 —▸ 0x626000000100 ◂— 0x626000000100
04:0020│ 0x7fffffffce80 —▸ 0x631000000800 ◂— 0x1000000000000
05:0028│ 0x7fffffffce88 —▸ 0x62d0000004c0 —▸ 0x5555555bdea0 (op_Return) ◂— endbr64
06:0030│ 0x7fffffffce90 —▸ 0x141b58ab3 ◂— 0x0
07:0038│ 0x7fffffffce98 ◂— 0x555500000f00
───────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────
► f 0 0x5555555bbf69 op_Select_i32_srs+329
f 1 0x5555555a8fc5 op_f64_Ceil_s+261
f 2 0x5555555a55e6 op_i32_Divide_rs+422
f 3 0x5555555bf506 op_f32_Load_f32_s+838
f 4 0x5555555caca2 op_i32_Store_i32_ss+994
f 5 0x5555555ba807 op_SetSlot_i32+263
f 6 0x5555555b939e op_MemGrow+350
f 7 0x5555555aa330 op_i32_EqualToZero_s+272
Asan Info
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3977==ERROR: AddressSanitizer: SEGV on unknown address 0x63108b682980 (pc 0x55c322d9df69 bp 0x7ffc71ba1260 sp 0x7ffc71ba1220 T0)
==3977==The signal is caused by a READ memory access.
#0 0x55c322d9df68 in op_Select_i32_srs /home/ios/CVE/wasm3/source/m3_exec.h:1078
#1 0x55c322d8afc4 in op_f64_Ceil_s /home/ios/CVE/wasm3/source/m3_exec.h:272
#2 0x55c322d875e5 in op_i32_Divide_rs /home/ios/CVE/wasm3/source/m3_exec.h:231
#3 0x55c322da1505 in op_f32_Load_f32_s /home/ios/CVE/wasm3/source/m3_exec.h:1341
#4 0x55c322dacca1 in op_i32_Store_i32_ss /home/ios/CVE/wasm3/source/m3_exec.h:1449
#5 0x55c322d9c806 in op_SetSlot_i32 /home/ios/CVE/wasm3/source/m3_exec.h:941
#6 0x55c322d9b39d in op_MemGrow /home/ios/CVE/wasm3/source/m3_exec.h:704
#7 0x55c322d8c32f in op_i32_EqualToZero_s /home/ios/CVE/wasm3/source/m3_exec.h:282
#8 0x55c322d9bf1b in op_Entry /home/ios/CVE/wasm3/source/m3_exec.h:808
#9 0x55c322dc168a in RunCode /home/ios/CVE/wasm3/source/m3_exec_defs.h:58
#10 0x55c322dc76cc in m3_CallArgv /home/ios/CVE/wasm3/source/m3_env.c:953
#11 0x55c322d65510 in repl_call /home/ios/CVE/wasm3/platforms/app/main.c:274
#12 0x55c322d682f4 in main /home/ios/CVE/wasm3/platforms/app/main.c:634
#13 0x7fcbd3bff082 in __libc_start_main ../csu/libc-start.c:308
#14 0x55c322d6422d in _start (/home/ios/CVE/wasm3/build/wasm3+0x2e22d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ios/CVE/wasm3/source/m3_exec.h:1078 in op_Select_i32_srs
==3977==ABORTING
current commit : 7890a2097569fde845881e0b352d813573e371f9
Poc
op_Select_i32_srs.wasm.gz
Related news
GHSA-crf8-h2wq-2h9x: WASM3 Improper Input Validation vulnerability
WASM3 v0.5.0 was discovered to contain a segmentation fault via the component `op_Select_i32_srs` in `wasm3/source/m3_exec.h`.