Stack-buffer-overflow in wasm-micro-runtime/core/iwasm/interpreter/wasm_interp_classic.c

[Messi-Q]

Version

commit 0418041
Author: Peng Qian [email protected]
Date: Fri Jun 21:11:08 2024

Compile

cd wasm-micro-runtime/product-mini/platforms/linux
mkdir build
cd build 
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address" -DWAMR_BUILD_INTERP=1 -DWAMR_BUILD_FAST_INTERP=0 ..
make

Reproduce

./iwasm id:000071,sig:06,src:000585,op:python,pos:0

ASAN Log

=================================================================
==534898==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe820f6400 at pc 0x7fdc0905ca6a bp 0x7ffe820f63c0 sp 0x7ffe820f5b68
WRITE of size 128 at 0x7ffe820f6400 thread T0
#0 0x7fdc0905ca69 in __interceptor_sigemptyset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:3959
#1 0x56475fb4299b in mask_signals /home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/core/shared/platform/common/posix/posix_thread.c:580
#2 0x56475faf637d in call_wasm_with_hw_bound_check /home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3353
#3 0x56475faf8ba2 in wasm_call_function /home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3380
#4 0x56475fae9a50 in wasm_runtime_call_wasm /home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:2423
#5 0x56475fae0e53 in execute_main /home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/core/iwasm/common/wasm_application.c:126
#6 0x56475fae0e53 in wasm_application_execute_main /home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/core/iwasm/common/wasm_application.c:285
#7 0x56475fada8e6 in app_instance_main /home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:119
#8 0x56475fada8e6 in main /home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:995
#9 0x7fdc08cdc082 in __libc_start_main ../csu/libc-start.c:308
#10 0x56475fadbffd in _start (/home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/product-mini/platforms/linux/build/iwasm+0x22ffd)

Address 0x7ffe820f6400 is located in stack of thread T0 at offset 160 in frame
#0 0x56475fbbc94f in wasm_interp_call_wasm /home/peng/Documents/all_wasm_vm/new_version_test/wasm-micro-runtime/core/iwasm/interpreter/wasm_interp_classic.c:7121

This frame has 1 object(s):
[32, 160) 'buf' (line 7129) <== Memory access at offset 160 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:3959 in __interceptor_sigemptyset
Shadow bytes around the buggy address:
0x100050416c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100050416c40: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 01 f2 00 f2
0x100050416c50: f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
0x100050416c60: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100050416c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100050416c80:[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100050416c90: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
0x100050416ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100050416cb0: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3
0x100050416cc0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100050416cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==534898==ABORTING

PoC

PoC

[wenyongh]

@Messi-Q thanks for spotting the issue, from the call stack dumped, the stack-buffer-overflow occurs in function mask_signals in file posix_thread.c, L580:

wasm-micro-runtime/core/shared/platform/common/posix/posix_thread.c

Lines 572 to 580 in 4c2af25

	#if defined(__GNUC__) || defined(__clang__)
	__attribute__((no_sanitize_address))
	#endif
	static void
	mask_signals(int how)
	{
	sigset_t set;
	sigemptyset(&set);

But as you see, this function is set with __attribute__((no_sanitize_address)) which means address sanitizer should not be applied for it since it does some low-level magic (e.g. stack, signal related operations), but I am not sure why __attribute__((no_sanitize_address)) doesn't take effect in you environment. What is the compiler you used, is it clang or gcc? Could you modify the function to be like below:

#if defined(__GNUC__)
__attribute__((no_sanitize_address))
#elif defined(__clang__)
__attribute__((no_sanitize("address")))
#endif
static void
mask_signals(int how)
{
    ...
}

and try again? Thanks.