Describe the bug
The PoC imports a memory and defines another. Later when using the module-defined memory for initializing a data segment, a heap-buffer-overflow occurs.
Version
iwasm 2.4.3
Commit: 4b306f0
To Reproduce
Steps to reproduce the behavior:
- Compile iwasm with the following flags:
-DWAMR_BUILD_INTERP=1 -DWAMR_BUILD_AOT=0 -DWAMR_BUILD_JIT=0 -DWAMR_BUILD_FAST_JIT=0 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_BULK_MEMORY=1 -DWAMR_BUILD_SIMD=0 -DWAMR_BUILD_REF_TYPES=1 -DWAMR_BUILD_EXTENDED_CONST_EXPR=1 -DWAMR_BUILD_MEMORY64=1 -DWAMR_BUILD_MULTI_MEMORY=1 -DWAMR_BUILD_TAIL_CALL=1 -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_GC=1 -DWAMR_BUILD_EXCE_HANDLING=1 -DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_LIB_WASI_THREADS=1
- Convert the following PoC to wasm:
(module
(import "env" "m" (memory 1))
(memory 1)
(data (memory 1) (i32.const 0) "")
)
- Run classic interpreter:
iwasm poc.wasm
Actual Result
==2315189==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000000078 at pc 0x5555556de86e bp 0x7fffffffc110 sp 0x7fffffffc100
READ of size 4 at 0x506000000078 thread T0
#0 0x5555556de86d in load_data_segment_section wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:5174
#1 0x5555556de86d in load_from_sections wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:6427
#2 0x5555556e348c in load wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:7111
#3 0x5555556e348c in wasm_loader_load wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:7288
#4 0x5555556503e6 in wasm_runtime_load_ex wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:1515
#5 0x5555556503e6 in wasm_runtime_load_ex wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:1476
#6 0x555555650595 in wasm_runtime_load wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:1568
#7 0x555555577478 in main wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:950
#8 0x7ffff7c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7ffff7c29e3f in __libc_start_main_impl ../csu/libc-start.c:392
#10 0x555555579014 in _start (wasm-micro-runtime/product-mini/platforms/linux/build_interp_classic/iwasm-2.4.3+0x25014)
0x506000000078 is located 24 bytes to the right of 64-byte region [0x506000000020,0x506000000060)
allocated by thread T0 here:
#0 0x555555607df7 in __interceptor_malloc (wasm-micro-runtime/product-mini/platforms/linux/build_interp_classic/iwasm-2.4.3+0xb3df7)
#1 0x5555556b925b in loader_malloc wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:345
#2 0x5555556b925b in load_import_section wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:3552
#3 0x5555556dafab in load_from_sections wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:6372
#4 0x5555556e348c in load wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:7111
#5 0x5555556e348c in wasm_loader_load wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:7288
#6 0x5555556503e6 in wasm_runtime_load_ex wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:1515
#7 0x5555556503e6 in wasm_runtime_load_ex wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:1476
#8 0x555555650595 in wasm_runtime_load wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:1568
#9 0x555555577478 in main wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:950
#10 0x7ffff7c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c:5174 in load_data_segment_section
Shadow bytes around the buggy address:
0x0a0c7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0a0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa[fa]
0x0a0c7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2315189==ABORTING
Desktop (please complete the following information):
- Arch [x86_64]
- OS [Linux, Ubuntu]
- Version [22.04]
Describe the bug
The PoC imports a memory and defines another. Later when using the module-defined memory for initializing a data segment, a heap-buffer-overflow occurs.
Version
iwasm 2.4.3
Commit: 4b306f0
To Reproduce
Steps to reproduce the behavior:
iwasm poc.wasmActual Result
Desktop (please complete the following information):