Heap out of bounds read - WASM_OP_I32_STORE16: wasm_interp_call_func_bytecode (wasm_interp.c:1226)

[pventuzelo]

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit 9a02c49

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1226)
case: WASM_OP_I32_STORE16

Steps to reproduce the behavior

• Download:
  PoC.zip

• Run:
  ./iwasm PoC.wasm

Additional Informations

Crash

[1]    14488 segmentation fault  ./iwasm 

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555555781108 --> 0x4200000003 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x555555563e37 (<wasm_interp_call_func_bytecode+18936>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x21 ('!')
R9 : 0x7fffffffd1d0 --> 0x55555577f17d --> 0x6e0417000b00200b 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f17d --> 0x6e0417000b00200b 
R13: 0x5555557810fc --> 0x100000000 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555563e25 <wasm_interp_call_func_bytecode+18918>:	jbe    0x555555563eb3 <wasm_interp_call_func_bytecode+19060>
   0x555555563e2b <wasm_interp_call_func_bytecode+18924>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555563e30 <wasm_interp_call_func_bytecode+18929>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x555555563e37 <wasm_interp_call_func_bytecode+18936>:	mov    rdx,QWORD PTR [rax+0x18]
   0x555555563e3b <wasm_interp_call_func_bytecode+18940>:	mov    ecx,DWORD PTR [rbp-0x69c]
   0x555555563e41 <wasm_interp_call_func_bytecode+18946>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555563e48 <wasm_interp_call_func_bytecode+18953>:	mov    eax,DWORD PTR [rax+0x30]
   0x555555563e4b <wasm_interp_call_func_bytecode+18956>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x47f7f3b01 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x11c00000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555563e37 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1226
1226	        DEF_OP_STORE(uint32, I32, *(uint16*)maddr = (uint16)sval);
#0  0x0000555555563e37 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1226
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==14486== Memcheck, a memory error detector
==14486== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==14486== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==14486== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555563ec8/PoC.wasm
==14486== 
==14486== Invalid read of size 8
==14486==    at 0x117E37: wasm_interp_call_func_bytecode (wasm_interp.c:1226)
==14486==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==14486==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==14486==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==14486==    by 0x10BAD7: app_instance_main (main.c:54)
==14486==    by 0x10C0EA: main (main.c:217)
==14486==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==14486== 
==14486== 
==14486== Process terminating with default action of signal 11 (SIGSEGV)
==14486==  Access not within mapped region at address 0x18
==14486==    at 0x117E37: wasm_interp_call_func_bytecode (wasm_interp.c:1226)
==14486==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==14486==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==14486==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==14486==    by 0x10BAD7: app_instance_main (main.c:54)
==14486==    by 0x10C0EA: main (main.c:217)
==14486==  If you believe this happened as a result of a stack
==14486==  overflow in your program's main thread (unlikely but
==14486==  possible), you can try to increase the size of the
==14486==  main thread stack using the --main-stacksize= flag.
==14486==  The main thread stack size used in this run was 8388608.
==14486== 
==14486== HEAP SUMMARY:
==14486==     in use at exit: 0 bytes in 0 blocks
==14486==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==14486== 
==14486== All heap blocks were freed -- no leaks are possible
==14486== 
==14486== For counts of detected and suppressed errors, rerun with: -v
==14486== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    14486 segmentation fault  valgrind ./iwasm 

[pventuzelo]

Fixed with c47baf2