Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory Corruption Vulnerability: Invalid WRITE in uvwasi_serdes_write_uint32_t during WASI Execution #857

Open
JulianWu520 opened this issue Aug 27, 2024 · 0 comments
Open

Memory Corruption Vulnerability: Invalid WRITE in uvwasi_serdes_write_uint32_t during WASI Execution #857

JulianWu520 opened this issue Aug 27, 2024 · 0 comments

Comments

@JulianWu520
Copy link

Hi,

Running fizzy-wasi with poc1.wasm triggers a segmentation fault due to an invalid memory WRITE in the uvwasi_serdes_write_uint32_t function, potentially leading to memory corruption.

build

mkdir build && cd build
cmake -DFIZZY_WASI=ON -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_LINKER_FLAGS="-fsanitize=address" ..
 cmake --build .

Proof-Of-Concept

julianwu@RLab:~/Work/WebAssembly/fizzy/build/bin/crashes_output$ ../../../../fizzy-test/fizzy/build/bin/fizzy-wasi poc1.wasm
hello �orld
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4094410==ERROR: AddressSanitizer: SEGV on unknown address 0x6311000147ef (pc 0x56487025e2a4 bp 0x0fffabb40c20 sp 0x7ffd5da060a8 T0)
==4094410==The signal is caused by a WRITE memory access.
    #0 0x56487025e2a4 in uvwasi_serdes_write_uint32_t (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0xbe2a4)
    #1 0x5648701bbbef in fd_write /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:56
    #2 0x5648701dd7f4 in execute<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:570
    #3 0x5648701e1a59 in invoke_function<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:540
    #4 0x5648701e1a59 in execute<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:665
    #5 0x5648701ed954 in fizzy::execute(fizzy::Instance&, unsigned int, fizzy::Value const*) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:1626
    #6 0x5648701bc732 in fizzy::wasi::run(fizzy::wasi::UVWASI&, fizzy::Instance&, int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:215
    #7 0x5648701c2f56 in fizzy::wasi::run(std::basic_string_view<unsigned char, std::char_traits<unsigned char> >, int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:232
    #8 0x5648701c6142 in fizzy::wasi::load_and_run(int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:241
    #9 0x5648701b9bd5 in main /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/main.cpp:19
    #10 0x7f93368b0d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7f93368b0e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #12 0x5648701b9e34 in _start (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0x19e34)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0xbe2a4) in uvwasi_serdes_write_uint32_t
==4094410==ABORTING

poc1.zip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JulianWu520