Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

'@' before a quote (") causes a libc++abi.dylib crash using wat2wasm. #2165

Closed
khagankhan opened this issue Mar 9, 2023 · 2 comments · Fixed by #2166
Closed

'@' before a quote (") causes a libc++abi.dylib crash using wat2wasm. #2165

khagankhan opened this issue Mar 9, 2023 · 2 comments · Fixed by #2166

Comments

@khagankhan
Copy link

Describe the bug

'@' before a quote (") causes a libc++abi.dylib crash while converting ".wat" format into ".wasm" format using wat2wasm.

wat2wasm --version: 1.0.32 (git~1.0.32-35-g9990b0cf)

The following minimized code causes wat2wasm to crash.

(module (memory $mem 1)
   ;;(@_memory " (memory $mem)) ;; Space in between '@' and '"' avoids crash
   ;; A comment below the next line containing a '"' will also avoid a crash
   (@_memory" (memory $mem))
   (func
    $main
    (export "_main")
    (result i32)
    i32.const 21))

Absolute minimum example:

(@"

Steps to reproduce:

Here are the test files: (Remove ".txt" and save them ".wat" files)
wabt_crash.wat.txt

wabt_crash_min.wat.txt

  • Install and build WABT

  • Run wat2wasm on the test file: wat2wasm wabt_crash.wat and wat2wasm wabt_crash_min.wat

  • Observe the crash:

    libc++abi.dylib: terminating with uncaught exception of type std::length_error: basic_string
[1]    4522 abort      wat2wasm wabt_crash.wat

Expected Behavior:

Expected output should be an error (like the one below) produced by wat2wasm instead of a crash.
For example, if the test file replaces the '@' with a '*', wat2wasm gives the expected error below when run with wat2wasm expected.wat, which points out the missing end quote.

expected.wat:4:29: error: newline in string
   (*_memory" (memory $mem))
                            ^
expected.wat:5:9: error: newline in string
   (func
        ^
expected.wat:6:10: error: newline in string
    $main
         ^
expected.wat:7:21: error: newline in string
    (export "_main")
                    ^
expected.wat:8:17: error: newline in string
    (result i32)
                ^
expected.wat:9:19: error: newline in string
    i32.const 21))
                  ^
expected.wat:4:4: error: unexpected token (, expected ).
   (*_memory" (memory $mem))

Additional information

A combination of afl-fuzz++4.03a and Wasmlike, an Xsmith-based random program generator produced the snippet of code that caused the crash. https://www.flux.utah.edu/project/xsmith
keithw added a commit that referenced this issue Mar 10, 2023
@keithw
Improve lexing and parsing of invalid annotations (again)
66763da 
This adds a bounds-check to WastLexer::GetText to handle the case when
the offset is earlier than token_start (e.g. because GetStringToken
found a newline in the string and reset token_start to point to it).

Also revises GetIdToken -> GetIdChars to stop skipping the initial char
in an annotation delimiter, which is an idchar+ but not an id token.

Also fixes the WastParser to handle EOF when reading for the end of an
annotation, both for code metadata annotation and other kinds.
Previously this produced an infinite loop (but only when
--enable-annotations was provided).

Fixes #2165
@keithw keithw mentioned this issue Mar 10, 2023
Merged
@keithw
Copy link
Member

keithw commented Mar 10, 2023

Thank you! If you have time, please take a look at #2166 and let me know what you think.

keithw added a commit that referenced this issue Mar 10, 2023
@keithw
Improve lexing and parsing of invalid annotations (again)
44491a4 
This adds a bounds-check to WastLexer::GetText to handle the case when
the offset is earlier than token_start (e.g. because GetStringToken
found a newline in the string and reset token_start to point at it).

Also revises GetIdToken -> GetIdChars to stop skipping the initial char
in an annotation delimiter, which is an idchar+ but not an id token.

Also fixes the WastParser to handle EOF when reading for the end of an
annotation, both for code metadata annotations and other kinds.
Previously this produced an infinite loop (but only with
--enable-annotations).

Fixes #2165
keithw added a commit that referenced this issue Mar 10, 2023
@keithw
Improve lexing and parsing of invalid annotations (again) (#2166)
a725c63 
This adds a bounds-check to WastLexer::GetText to handle the case when
the offset is earlier than token_start (e.g. because GetStringToken
found a newline in the string and reset token_start to point at it).

Also revises GetIdToken -> GetIdChars to stop skipping the initial char
in an annotation delimiter, which is an idchar+ but not an id token.

Also fixes the WastParser to handle EOF when reading for the end of an
annotation, both for code metadata annotations and other kinds.
Previously this produced an infinite loop (but only with
--enable-annotations).

Fixes #2165
@rathann
Copy link
Contributor

rathann commented Jun 17, 2023

This is CVE-2023-31669 for the record.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve lexing and parsing of invalid annotations (again) WebAssembly/wabt
3 participants
@keithw @rathann @khagankhan