Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

A abort failure in wasm::Builder::makeFunction #4413

Closed
ZFeiXQ opened this issue Dec 25, 2021 · 2 comments
Closed

A abort failure in wasm::Builder::makeFunction #4413

ZFeiXQ opened this issue Dec 25, 2021 · 2 comments

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 25, 2021

Version:

version_104

command:

 wasm-dis POC8

POC8.zip

Result

Aborted.

bt

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffff4416040 (0x00007ffff4416040)
RCX: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffffb890 --> 0x0 
RDI: 0x2 
RBP: 0x7ffff45d5588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
RSP: 0x7fffffffb890 --> 0x0 
RIP: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffffffb890 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7ffff799dc40 ("/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h")
R13: 0x31 ('1')
R14: 0x7ffff799dc00 ("type.isSignature()")
R15: 0xfffff700 --> 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff446017f <__GI_raise+191>:	mov    edi,0x2
   0x7ffff4460184 <__GI_raise+196>:	mov    eax,0xe
   0x7ffff4460189 <__GI_raise+201>:	syscall 
=> 0x7ffff446018b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff4460193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
   0x7ffff446019c <__GI_raise+220>:	jne    0x7ffff44601c4 <__GI_raise+260>
   0x7ffff446019e <__GI_raise+222>:	mov    eax,r8d
   0x7ffff44601a1 <__GI_raise+225>:	add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb890 --> 0x0 
0008| 0x7fffffffb898 --> 0x49bba0 (<free>:	push   rbp)
0016| 0x7fffffffb8a0 --> 0x7ffffbad8000 
0024| 0x7fffffffb8a8 --> 0x6120000001c0 --> 0x7369642d69000001 
0032| 0x7fffffffb8b0 --> 0x612000000225 ("on> wasm::Builder::makeFunction(wasm::Name, wasm::HeapType, std::vector<Type> &&, wasm::Expression *): Assertion `type.isSignature()' failed.\n")
0040| 0x7fffffffb8b8 --> 0x6120000001c0 --> 0x7369642d69000001 
0048| 0x7fffffffb8c0 --> 0x6120000001c0 --> 0x7369642d69000001 
0056| 0x7fffffffb8c8 --> 0x6120000002b3 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff443f859 in __GI_abort () at abort.c:79
#2  0x00007ffff443f729 in __assert_fail_base (fmt=0x7ffff45d5588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff799dc00 <str> "type.isSignature()", 
    file=0x7ffff799dc40 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h", line=0x31, function=<optimized out>) at assert.c:92
#3  0x00007ffff4450f36 in __GI___assert_fail (assertion=0x7ffff799dc00 <str> "type.isSignature()", file=0x7ffff799dc40 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h", line=0x31, 
    function=0x7ffff799dca0 <__PRETTY_FUNCTION__._ZN4wasm7Builder12makeFunctionENS_4NameENS_8HeapTypeEOSt6vectorINS_4TypeESaIS4_EEPNS_10ExpressionE> "static std::unique_ptr<Function> wasm::Builder::makeFunction(wasm::Name, wasm::HeapType, std::vector<Type> &&, wasm::Expression *)") at assert.c:101
#4  0x00007ffff51417c4 in wasm::Builder::makeFunction (name=..., type=..., vars=..., body=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h:49
#5  0x00007ffff6ea172f in wasm::WasmBinaryBuilder::readImports (this=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:2059
#6  0x00007ffff6e9967e in wasm::WasmBinaryBuilder::read (this=0x7fffffffcce0) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:1417
#7  0x00007ffff7046785 in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename=<incomplete type>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:63
#8  0x00007ffff7046f76 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=<incomplete type>, wasm=..., sourceMapFilename=<incomplete type>)
    at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:74
#9  0x00000000004cf7ca in main (argc=<optimized out>, argv=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/tools/wasm-dis.cpp:65
#10 0x00007ffff44410b3 in __libc_start_main (main=0x4cdef0 <main(int, char const**)>, argc=0x2, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe338) at ../csu/libc-start.c:308
#11 0x000000000042375e in _start () at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/iostream:74
@aheejin
Copy link
Member

aheejin commented Dec 28, 2021

Can you elaborate on how you create POC8? It looks like an invalid wasm file.

@aheejin
Copy link
Member

aheejin commented Dec 30, 2021

Will close this for now. (Context: #4410 (comment))

@kripken kripken mentioned this issue Jan 5, 2022
Merged
@aheejin aheejin closed this as completed Jan 5, 2022
kripken added a commit that referenced this issue Jan 5, 2022
@kripken
Add binary format parse check for imported function types (#4423)
1beec37 
Without this we hit an assertion later, which is less clear.

See #4413
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aheejin @ZFeiXQ