bytecodealliance / wasm-micro-runtime Goto Github PK
View Code? Open in Web Editor NEWWebAssembly Micro Runtime (WAMR)
License: Apache License 2.0
WebAssembly Micro Runtime (WAMR)
License: Apache License 2.0
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Null pointer dereference in wasm_loader_prepare_bytecode (wasm_loader.c:2258)
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 31363 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x0
RDX: 0x1
RSI: 0x7fffffffd6d8 --> 0x555555780e38 --> 0x7f
RDI: 0x0
RBP: 0x7fffffffd770 --> 0x7fffffffd7e0 --> 0x7fffffffd840 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffd650 --> 0x8000000000
RIP: 0x55555556e953 (<wasm_loader_prepare_bytecode+917>: movzx eax,BYTE PTR [rax])
R8 : 0x7fffffffd688 --> 0x100000020
R9 : 0x7fffffffd684 --> 0x2000000000 ('')
R10: 0x0
R11: 0x246
R12: 0x555555557960 (<_start>: xor ebp,ebp)
R13: 0x7fffffffda80 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x55555556e947 <wasm_loader_prepare_bytecode+905>: mov rax,QWORD PTR [rbp-0x78]
0x55555556e94b <wasm_loader_prepare_bytecode+909>: lea rdx,[rax+0x1]
0x55555556e94f <wasm_loader_prepare_bytecode+913>: mov QWORD PTR [rbp-0x78],rdx
=> 0x55555556e953 <wasm_loader_prepare_bytecode+917>: movzx eax,BYTE PTR [rax]
0x55555556e956 <wasm_loader_prepare_bytecode+920>: mov BYTE PTR [rbp-0xf8],al
0x55555556e95c <wasm_loader_prepare_bytecode+926>: movzx eax,BYTE PTR [rbp-0xf8]
0x55555556e963 <wasm_loader_prepare_bytecode+933>: cmp eax,0xbf
0x55555556e968 <wasm_loader_prepare_bytecode+938>: ja 0x55555557440f <wasm_loader_prepare_bytecode+24145>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd650 --> 0x8000000000
0008| 0x7fffffffd658 --> 0x7fffffffd910 --> 0x7ffff7ffa268 (add BYTE PTR ss:[rax],al)
0016| 0x7fffffffd660 --> 0x555555780e00 --> 0x555555780de0 --> 0x0
0024| 0x7fffffffd668 --> 0x55555577f168 --> 0x1
0032| 0x7fffffffd670 --> 0xffffffd690
0040| 0x7fffffffd678 --> 0x40f2fe7db7a3fa00
0048| 0x7fffffffd680 --> 0x1
0056| 0x7fffffffd688 --> 0x100000020
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556e953 in wasm_loader_prepare_bytecode (module=0x55555577f168 <global_heap_buf+712>, func=0x555555780e00 <global_heap_buf+8032>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:2258
2258 opcode = *p++;
#0 0x000055555556e953 in wasm_loader_prepare_bytecode (module=0x55555577f168 <global_heap_buf+712>, func=0x555555780e00 <global_heap_buf+8032>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:2258
#1 0x000055555556cba6 in load_from_sections (module=0x55555577f168 <global_heap_buf+712>, sections=0x555555780d58 <global_heap_buf+7864>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1189
#2 0x000055555556d00a in load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x25, module=0x55555577f168 <global_heap_buf+712>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1388
#3 0x000055555556d124 in wasm_loader_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x25, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1429
#4 0x00005555555594f5 in wasm_runtime_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x25, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:137
#5 0x000055555555802d in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:196
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==31313== Memcheck, a memory error detector
==31313== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==31313== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==31313== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556e9f0/PoC.wasm
==31313==
==31313== Invalid read of size 1
==31313== at 0x122953: wasm_loader_prepare_bytecode (wasm_loader.c:2258)
==31313== by 0x120BA5: load_from_sections (wasm_loader.c:1189)
==31313== by 0x121009: load (wasm_loader.c:1388)
==31313== by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==31313== by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==31313== by 0x10C02C: main (main.c:196)
==31313== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==31313==
==31313==
==31313== Process terminating with default action of signal 11 (SIGSEGV)
==31313== Access not within mapped region at address 0x0
==31313== at 0x122953: wasm_loader_prepare_bytecode (wasm_loader.c:2258)
==31313== by 0x120BA5: load_from_sections (wasm_loader.c:1189)
==31313== by 0x121009: load (wasm_loader.c:1388)
==31313== by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==31313== by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==31313== by 0x10C02C: main (main.c:196)
==31313== If you believe this happened as a result of a stack
==31313== overflow in your program's main thread (unlikely but
==31313== possible), you can try to increase the size of the
==31313== main thread stack using the --main-stacksize= flag.
==31313== The main thread stack size used in this run was 8388608.
==31313==
==31313== HEAP SUMMARY:
==31313== in use at exit: 0 bytes in 0 blocks
==31313== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==31313==
==31313== All heap blocks were freed -- no leaks are possible
==31313==
==31313== For counts of detected and suppressed errors, rerun with: -v
==31313== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 31313 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1140)
case: WASM_OP_F64_LOAD
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 13909 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x55555578110c --> 0xb0f02e400000042
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x555555561b12 (<wasm_interp_call_func_bytecode+9939>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x21 ('!')
R9 : 0x7fffffffd1d0 --> 0x55555577f17d --> 0x6e0417000b00200b
R10: 0x0
R11: 0x246
R12: 0x55555577f17a --> 0xb00200bc0c0c1
R13: 0x5555557810fc --> 0x100000000
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555561b00 <wasm_interp_call_func_bytecode+9921>: jbe 0x555555561b8e <wasm_interp_call_func_bytecode+10063>
0x555555561b06 <wasm_interp_call_func_bytecode+9927>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x555555561b0b <wasm_interp_call_func_bytecode+9932>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x555555561b12 <wasm_interp_call_func_bytecode+9939>: mov rdx,QWORD PTR [rax+0x18]
0x555555561b16 <wasm_interp_call_func_bytecode+9943>: mov ecx,DWORD PTR [rbp-0x594]
0x555555561b1c <wasm_interp_call_func_bytecode+9949>: mov rax,QWORD PTR [rbp-0x4e8]
0x555555561b23 <wasm_interp_call_func_bytecode+9956>: mov eax,DWORD PTR [rax+0x30]
0x555555561b26 <wasm_interp_call_func_bytecode+9959>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0xc50000019000
0040| 0x7fffffffce08 --> 0x17f7f2b01
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x11c00000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555561b12 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1140
1140 DEF_OP_LOAD(PUSH_F64(GET_F64_FROM_ADDR((uint32*)maddr)));
#0 0x0000555555561b12 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1140
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==13906== Memcheck, a memory error detector
==13906== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==13906== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==13906== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555561ba3/PoC.wasm
==13906==
==13906== Invalid read of size 8
==13906== at 0x115B12: wasm_interp_call_func_bytecode (wasm_interp.c:1140)
==13906== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==13906== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==13906== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==13906== by 0x10BAD7: app_instance_main (main.c:54)
==13906== by 0x10C0EA: main (main.c:217)
==13906== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==13906==
==13906==
==13906== Process terminating with default action of signal 11 (SIGSEGV)
==13906== Access not within mapped region at address 0x18
==13906== at 0x115B12: wasm_interp_call_func_bytecode (wasm_interp.c:1140)
==13906== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==13906== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==13906== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==13906== by 0x10BAD7: app_instance_main (main.c:54)
==13906== by 0x10C0EA: main (main.c:217)
==13906== If you believe this happened as a result of a stack
==13906== overflow in your program's main thread (unlikely but
==13906== possible), you can try to increase the size of the
==13906== main thread stack using the --main-stacksize= flag.
==13906== The main thread stack size used in this run was 8388608.
==13906==
==13906== HEAP SUMMARY:
==13906== in use at exit: 0 bytes in 0 blocks
==13906== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==13906==
==13906== All heap blocks were freed -- no leaks are possible
==13906==
==13906== For counts of detected and suppressed errors, rerun with: -v
==13906== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 13906 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1226)
case: WASM_OP_I32_STORE16
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 14488 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x555555781108 --> 0x4200000003
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x555555563e37 (<wasm_interp_call_func_bytecode+18936>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x21 ('!')
R9 : 0x7fffffffd1d0 --> 0x55555577f17d --> 0x6e0417000b00200b
R10: 0x0
R11: 0x246
R12: 0x55555577f17d --> 0x6e0417000b00200b
R13: 0x5555557810fc --> 0x100000000
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555563e25 <wasm_interp_call_func_bytecode+18918>: jbe 0x555555563eb3 <wasm_interp_call_func_bytecode+19060>
0x555555563e2b <wasm_interp_call_func_bytecode+18924>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x555555563e30 <wasm_interp_call_func_bytecode+18929>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x555555563e37 <wasm_interp_call_func_bytecode+18936>: mov rdx,QWORD PTR [rax+0x18]
0x555555563e3b <wasm_interp_call_func_bytecode+18940>: mov ecx,DWORD PTR [rbp-0x69c]
0x555555563e41 <wasm_interp_call_func_bytecode+18946>: mov rax,QWORD PTR [rbp-0x4e8]
0x555555563e48 <wasm_interp_call_func_bytecode+18953>: mov eax,DWORD PTR [rax+0x30]
0x555555563e4b <wasm_interp_call_func_bytecode+18956>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0xc50000019000
0040| 0x7fffffffce08 --> 0x47f7f3b01
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x11c00000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555563e37 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1226
1226 DEF_OP_STORE(uint32, I32, *(uint16*)maddr = (uint16)sval);
#0 0x0000555555563e37 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1226
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==14486== Memcheck, a memory error detector
==14486== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==14486== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==14486== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555563ec8/PoC.wasm
==14486==
==14486== Invalid read of size 8
==14486== at 0x117E37: wasm_interp_call_func_bytecode (wasm_interp.c:1226)
==14486== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==14486== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==14486== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==14486== by 0x10BAD7: app_instance_main (main.c:54)
==14486== by 0x10C0EA: main (main.c:217)
==14486== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==14486==
==14486==
==14486== Process terminating with default action of signal 11 (SIGSEGV)
==14486== Access not within mapped region at address 0x18
==14486== at 0x117E37: wasm_interp_call_func_bytecode (wasm_interp.c:1226)
==14486== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==14486== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==14486== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==14486== by 0x10BAD7: app_instance_main (main.c:54)
==14486== by 0x10C0EA: main (main.c:217)
==14486== If you believe this happened as a result of a stack
==14486== overflow in your program's main thread (unlikely but
==14486== possible), you can try to increase the size of the
==14486== main thread stack using the --main-stacksize= flag.
==14486== The main thread stack size used in this run was 8388608.
==14486==
==14486== HEAP SUMMARY:
==14486== in use at exit: 0 bytes in 0 blocks
==14486== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==14486==
==14486== All heap blocks were freed -- no leaks are possible
==14486==
==14486== For counts of detected and suppressed errors, rerun with: -v
==14486== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 14486 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1172)
case: WASM_OP_I64_LOAD16_U
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 20965 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5555557810f0 --> 0x0
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x555555562c9b (<wasm_interp_call_func_bytecode+14428>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x32 ('2')
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008
R10: 0x0
R11: 0x246
R12: 0x55555577f15f --> 0xc1410341026f6c
R13: 0x5555557810fc --> 0x7f03
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555562c89 <wasm_interp_call_func_bytecode+14410>: jbe 0x555555562d17 <wasm_interp_call_func_bytecode+14552>
0x555555562c8f <wasm_interp_call_func_bytecode+14416>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x555555562c94 <wasm_interp_call_func_bytecode+14421>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x555555562c9b <wasm_interp_call_func_bytecode+14428>: mov rdx,QWORD PTR [rax+0x18]
0x555555562c9f <wasm_interp_call_func_bytecode+14432>: mov ecx,DWORD PTR [rbp-0x614]
0x555555562ca5 <wasm_interp_call_func_bytecode+14438>: mov rax,QWORD PTR [rbp-0x4e8]
0x555555562cac <wasm_interp_call_func_bytecode+14445>: mov eax,DWORD PTR [rax+0x30]
0x555555562caf <wasm_interp_call_func_bytecode+14448>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0xc50000019000
0040| 0x7fffffffce08 --> 0x1007f3301
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555562c9b in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1172
1172 DEF_OP_LOAD(PUSH_I64((uint64)(*(uint16*)maddr)));
#0 0x0000555555562c9b in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1172
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==20348== Memcheck, a memory error detector
==20348== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==20348== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==20348== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555562d2c/PoC.wasm
==20348==
==20348== Invalid read of size 8
==20348== at 0x116C9B: wasm_interp_call_func_bytecode (wasm_interp.c:1172)
==20348== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==20348== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==20348== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==20348== by 0x10BAD7: app_instance_main (main.c:54)
==20348== by 0x10C0EA: main (main.c:217)
==20348== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==20348==
==20348==
==20348== Process terminating with default action of signal 11 (SIGSEGV)
==20348== Access not within mapped region at address 0x18
==20348== at 0x116C9B: wasm_interp_call_func_bytecode (wasm_interp.c:1172)
==20348== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==20348== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==20348== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==20348== by 0x10BAD7: app_instance_main (main.c:54)
==20348== by 0x10C0EA: main (main.c:217)
==20348== If you believe this happened as a result of a stack
==20348== overflow in your program's main thread (unlikely but
==20348== possible), you can try to increase the size of the
==20348== main thread stack using the --main-stacksize= flag.
==20348== The main thread stack size used in this run was 8388608.
==20348==
==20348== HEAP SUMMARY:
==20348== in use at exit: 0 bytes in 0 blocks
==20348== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==20348==
==20348== All heap blocks were freed -- no leaks are possible
==20348==
==20348== For counts of detected and suppressed errors, rerun with: -v
==20348== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 20348 segmentation fault valgrind ./iwasm
It reports: "magic header not detected".
This was seen on a PowerPC target running iwasm. Suspect it is related to endianness.
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in __syscall3_wrapper (wasm_native.c:140)
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 22055 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x5555557c2718 --> 0x1d68
RBX: 0x5555557c537c --> 0x2000000092
RCX: 0x555555782478 --> 0x0
RDX: 0xffffffff
RSI: 0x555555782478 --> 0x0
RDI: 0x5555557c2718 --> 0x1d68
RBP: 0x7fffffffcc20 --> 0x7fffffffcc50 --> 0x7fffffffccd0 --> 0x7fffffffcdd0 --> 0x7fffffffd6c0 --> 0x7fffffffd7b0 (--> ...)
RSP: 0x7fffffffcbc8 --> 0x55555555e00d (<__syscall3_wrapper+410>: mov rax,QWORD PTR [rbp-0x28])
RIP: 0x7ffff75b5cf4 (<__memmove_avx_unaligned_erms+548>: vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20])
R8 : 0x0
R9 : 0x7fffffffd1d0 --> 0x55555577f41c --> 0x7f027f02012e0b0b
R10: 0x0
R11: 0x5555557c4b28 --> 0x100000001
R12: 0x55555577f411 --> 0xb0041057f417f04
R13: 0x5555557c5368 --> 0x2000000001
R14: 0x5555557c4d94 --> 0x2a88ffffffff
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff75b5ce5 <__memmove_avx_unaligned_erms+533>: vmovdqu ymm5,YMMWORD PTR [rsi+0x20]
0x7ffff75b5cea <__memmove_avx_unaligned_erms+538>: vmovdqu ymm6,YMMWORD PTR [rsi+0x40]
0x7ffff75b5cef <__memmove_avx_unaligned_erms+543>: vmovdqu ymm7,YMMWORD PTR [rsi+0x60]
=> 0x7ffff75b5cf4 <__memmove_avx_unaligned_erms+548>: vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20]
0x7ffff75b5cfa <__memmove_avx_unaligned_erms+554>: lea r11,[rdi+rdx*1-0x20]
0x7ffff75b5cff <__memmove_avx_unaligned_erms+559>: lea rcx,[rsi+rdx*1-0x20]
0x7ffff75b5d04 <__memmove_avx_unaligned_erms+564>: mov r9,r11
0x7ffff75b5d07 <__memmove_avx_unaligned_erms+567>: mov r8,r11
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcbc8 --> 0x55555555e00d (<__syscall3_wrapper+410>: mov rax,QWORD PTR [rbp-0x28])
0008| 0x7fffffffcbd0 --> 0x2
0016| 0x7fffffffcbd8 --> 0x9200000001
0024| 0x7fffffffcbe0 --> 0x100000000
0032| 0x7fffffffcbe8 --> 0x0
0040| 0x7fffffffcbf0 --> 0x4000029800000002
0048| 0x7fffffffcbf8 --> 0x555555782480 --> 0xffffffff00000000
0056| 0x7fffffffcc00 --> 0x5555557822c8 --> 0x100000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:427
427 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:427
#1 0x000055555555e00d in __syscall3_wrapper (arg0=0x92, arg1=0x1, arg2=0x0, arg3=0x2) at XYZ/wasm-micro-runtime/core/iwasm/runtime/platform/linux/wasm_native.c:140
#2 0x000055555555e453 in ___syscall146_wrapper (_id=0x92, args_off=0x20) at XYZ/wasm-micro-runtime/core/iwasm/runtime/platform/linux/wasm_native.c:234
#3 0x0000555555576613 in invokeNative (argv=0x7fffffffcd40, argc=0x2, native_code=0x55555555e3d8 <___syscall146_wrapper>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/invokeNative_general.c:30
#4 0x000055555555f264 in wasm_interp_call_func_native (self=0x5555557823c8 <global_heap_buf+13608>, cur_func=0x555555781338 <global_heap_buf+9368>, prev_frame=0x5555557c5320 <global_heap_buf+287872>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:665
#5 0x0000555555567e83 in wasm_interp_call_func_bytecode (self=0x5555557823c8 <global_heap_buf+13608>, cur_func=0x555555781338 <global_heap_buf+9368>, prev_frame=0x5555557c5320 <global_heap_buf+287872>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2032
#6 0x00005555555686fd in wasm_interp_call_wasm (function=0x5555557813c8 <global_heap_buf+9512>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#7 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x5555557822c8 <global_heap_buf+13352>, exec_env=0x0, function=0x5555557813c8 <global_heap_buf+9512>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#8 0x0000555555558842 in wasm_application_execute_main (module_inst=0x5555557822c8 <global_heap_buf+13352>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#9 0x0000555555557ad8 in app_instance_main (module_inst=0x5555557822c8 <global_heap_buf+13352>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#10 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#11 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#12 0x000055555555798a in _start ()
Valgrind
==22053== Memcheck, a memory error detector
==22053== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==22053== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==22053== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x7ffff75b5cf4/PoC.wasm
==22053==
==22053== Invalid read of size 1
==22053== at 0x4C3686D: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22053== by 0x11200C: __syscall3_wrapper (wasm_native.c:140)
==22053== by 0x112452: ___syscall146_wrapper (wasm_native.c:234)
==22053== by 0x12A612: invokeNative (invokeNative_general.c:30)
==22053== by 0x113263: wasm_interp_call_func_native (wasm_interp.c:665)
==22053== by 0x11BE82: wasm_interp_call_func_bytecode (wasm_interp.c:2032)
==22053== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==22053== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==22053== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==22053== by 0x10BAD7: app_instance_main (main.c:54)
==22053== by 0x10C0EA: main (main.c:217)
==22053== Address 0x100336476 is not stack'd, malloc'd or (recently) free'd
==22053==
==22053==
==22053== Process terminating with default action of signal 11 (SIGSEGV)
==22053== Access not within mapped region at address 0x100336476
==22053== at 0x4C3686D: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22053== by 0x11200C: __syscall3_wrapper (wasm_native.c:140)
==22053== by 0x112452: ___syscall146_wrapper (wasm_native.c:234)
==22053== by 0x12A612: invokeNative (invokeNative_general.c:30)
==22053== by 0x113263: wasm_interp_call_func_native (wasm_interp.c:665)
==22053== by 0x11BE82: wasm_interp_call_func_bytecode (wasm_interp.c:2032)
==22053== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==22053== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==22053== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==22053== by 0x10BAD7: app_instance_main (main.c:54)
==22053== by 0x10C0EA: main (main.c:217)
==22053== If you believe this happened as a result of a stack
==22053== overflow in your program's main thread (unlikely but
==22053== possible), you can try to increase the size of the
==22053== main thread stack using the --main-stacksize= flag.
==22053== The main thread stack size used in this run was 8388608.
==22053==
==22053== HEAP SUMMARY:
==22053== in use at exit: 0 bytes in 0 blocks
==22053== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==22053==
==22053== All heap blocks were freed -- no leaks are possible
==22053==
==22053== For counts of detected and suppressed errors, rerun with: -v
==22053== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 22053 segmentation fault valgrind ./iwasm
There's only Zephyr and Linux support. Someone else already asked about macOS, so here's a Windows one.
So yeah, are there any plans for supporting Windows? And how much of the C++ standard library, if any at all, does this already support?
WASI is still a work in progress and it doesn't support C++ yet, but hopefully both projects will do so at some point and work together if possible.
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_loader_find_block_addr (wasm_loader.c:1561)
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode 18.
[DD582740]: WASM loader find block addr failed: invalid opcode f8.
[DD582740]: WASM loader find block addr failed: invalid opcode fd.
[DD582740]: WASM loader find block addr failed: invalid opcode 18.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode ff.
[DD582740]: WASM loader find block addr failed: invalid opcode ff.
[DD582740]: WASM loader find block addr failed: invalid opcode ff.
[DD582740]: WASM loader find block addr failed: invalid opcode ff.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode d1.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode d7.
[DD582740]: WASM loader find block addr failed: invalid opcode cd.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode fd.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode fd.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode d0.
[DD582740]: WASM loader find block addr failed: invalid opcode fd.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode 0a.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode 08.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode 08.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode f3.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode de.
[DD582740]: WASM loader find block addr failed: invalid opcode 07.
[DD582740]: WASM loader find block addr failed: invalid opcode de.
[DD582740]: WASM loader find block addr failed: invalid opcode 07.
[DD582740]: WASM loader find block addr failed: invalid opcode e0.
[DD582740]: WASM loader find block addr failed: invalid opcode e0.
[DD582740]: WASM loader find block addr failed: invalid opcode de.
[DD582740]: WASM loader find block addr failed: invalid opcode 07.
[DD582740]: WASM loader find block addr failed: invalid opcode de.
[DD582740]: WASM loader find block addr failed: invalid opcode 08.
[DD582740]: WASM loader find block addr failed: invalid opcode 1e.
[1] 17578 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[F7FCC740]: WASM loader find block addr failed: invalid opcode fe.
[F7FCC740]: WASM loader find block addr failed: invalid opcode fe.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 18.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f8.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 18.
[F7FCC740]: WASM loader find block addr failed: invalid opcode d1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode d7.
[F7FCC740]: WASM loader find block addr failed: invalid opcode dd.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode d0.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 0a.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 08.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode de.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 07.
[F7FCC740]: WASM loader find block addr failed: invalid opcode de.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 07.
[F7FCC740]: WASM loader find block addr failed: invalid opcode e0.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f0.
[F7FCC740]: WASM loader find block addr failed: invalid opcode de.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 07.
[F7FCC740]: WASM loader find block addr failed: invalid opcode ee.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 08.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 1e.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 09.
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x555555820000
RBX: 0x0
RCX: 0x26 ('&')
RDX: 0x555555820001
RSI: 0x55555588714a
RDI: 0x5555557ff66b --> 0x0
RBP: 0x7fffffffd630 --> 0x7fffffffd770 --> 0x7fffffffd7e0 --> 0x7fffffffd840 --> 0x7fffffffd880 --> 0x7fffffffd8b0 (--> ...)
RSP: 0x7fffffffd410 --> 0x555555557960 (<_start>: xor ebp,ebp)
RIP: 0x55555556d5f1 (<wasm_loader_find_block_addr+448>: movzx eax,BYTE PTR [rax])
R8 : 0x0
R9 : 0x7fffffffd478 --> 0x0
R10: 0x2
R11: 0x246
R12: 0x555555557960 (<_start>: xor ebp,ebp)
R13: 0x7fffffffda80 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x10293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x55555556d5df <wasm_loader_find_block_addr+430>: mov rax,QWORD PTR [rbp-0x1b0]
0x55555556d5e6 <wasm_loader_find_block_addr+437>: lea rdx,[rax+0x1]
0x55555556d5ea <wasm_loader_find_block_addr+441>: mov QWORD PTR [rbp-0x1b0],rdx
=> 0x55555556d5f1 <wasm_loader_find_block_addr+448>: movzx eax,BYTE PTR [rax]
0x55555556d5f4 <wasm_loader_find_block_addr+451>: mov BYTE PTR [rbp-0x1da],al
0x55555556d5fa <wasm_loader_find_block_addr+457>: movzx eax,BYTE PTR [rbp-0x1da]
0x55555556d601 <wasm_loader_find_block_addr+464>: cmp eax,0xc3
0x55555556d606 <wasm_loader_find_block_addr+469>: ja 0x55555556dfed <wasm_loader_find_block_addr+3004>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd410 --> 0x555555557960 (<_start>: xor ebp,ebp)
0008| 0x7fffffffd418 --> 0x7fffffffd910 --> 0x7ffff7ffa268 (add BYTE PTR ss:[rax],al)
0016| 0x7fffffffd420 --> 0x555555780eb0 --> 0x0
0024| 0x7fffffffd428 --> 0x555555780ea8 --> 0x0
0032| 0x7fffffffd430 --> 0x7f03ffffd540
0040| 0x7fffffffd438 --> 0x55555588714a
0048| 0x7fffffffd440 --> 0x55555577f157 --> 0xbed6dc022afe0041
0056| 0x7fffffffd448 --> 0x55555577f168 --> 0x1
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556d5f1 in wasm_loader_find_block_addr (module=0x55555577f168 <global_heap_buf+712>, start_addr=0x55555577f157 <global_heap_buf+695> "A", code_end_addr=0x55555588714a <error: Cannot access memory at address 0x55555588714a>, block_type=0x3, p_else_addr=0x555555780ea8 <global_heap_buf+8200>, p_end_addr=0x555555780eb0 <global_heap_buf+8208>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1561
1561 opcode = *p++;
#0 0x000055555556d5f1 in wasm_loader_find_block_addr (module=0x55555577f168 <global_heap_buf+712>, start_addr=0x55555577f157 <global_heap_buf+695> "A", code_end_addr=0x55555588714a <error: Cannot access memory at address 0x55555588714a>, block_type=0x3, p_else_addr=0x555555780ea8 <global_heap_buf+8200>, p_end_addr=0x555555780eb0 <global_heap_buf+8208>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1561
#1 0x000055555556f485 in wasm_loader_prepare_bytecode (module=0x55555577f168 <global_heap_buf+712>, func=0x555555780e28 <global_heap_buf+8072>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:2374
#2 0x000055555556cba6 in load_from_sections (module=0x55555577f168 <global_heap_buf+712>, sections=0x555555780d58 <global_heap_buf+7864>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1189
#3 0x000055555556d00a in load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x27, module=0x55555577f168 <global_heap_buf+712>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1388
#4 0x000055555556d124 in wasm_loader_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x27, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1429
#5 0x00005555555594f5 in wasm_runtime_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x27, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:137
#6 0x000055555555802d in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:196
#7 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#8 0x000055555555798a in _start ()
Valgrind
==17576== Memcheck, a memory error detector
==17576== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==17576== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==17576== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556d68e/PoC.wasm
==17576==
[404FB80]: WASM loader find block addr failed: invalid opcode fe.
[404FB80]: WASM loader find block addr failed: invalid opcode fe.
[404FB80]: WASM loader find block addr failed: invalid opcode 18.
[404FB80]: WASM loader find block addr failed: invalid opcode f8.
[404FB80]: WASM loader find block addr failed: invalid opcode 18.
[404FB80]: WASM loader find block addr failed: invalid opcode ff.
[404FB80]: WASM loader find block addr failed: invalid opcode ff.
[404FB80]: WASM loader find block addr failed: invalid opcode ff.
[404FB80]: WASM loader find block addr failed: invalid opcode ff.
[404FB80]: WASM loader find block addr failed: invalid opcode d1.
[404FB80]: WASM loader find block addr failed: invalid opcode c7.
[404FB80]: WASM loader find block addr failed: invalid opcode d7.
[404FB80]: WASM loader find block addr failed: invalid opcode 1d.
[404FB80]: WASM loader find block addr failed: invalid opcode d0.
[404FB80]: WASM loader find block addr failed: invalid opcode 0a.
[404FB80]: WASM loader find block addr failed: invalid opcode 08.
[404FB80]: WASM loader find block addr failed: invalid opcode 08.
[404FB80]: WASM loader find block addr failed: invalid opcode f3.
[404FB80]: WASM loader find block addr failed: invalid opcode de.
[404FB80]: WASM loader find block addr failed: invalid opcode 07.
[404FB80]: WASM loader find block addr failed: invalid opcode de.
[404FB80]: WASM loader find block addr failed: invalid opcode 07.
[404FB80]: WASM loader find block addr failed: invalid opcode e0.
[404FB80]: WASM loader find block addr failed: invalid opcode de.
[404FB80]: WASM loader find block addr failed: invalid opcode 07.
[404FB80]: WASM loader find block addr failed: invalid opcode 08.
[404FB80]: WASM loader find block addr failed: invalid opcode 1e.
==17576== Invalid read of size 1
==17576== at 0x1215F1: wasm_loader_find_block_addr (wasm_loader.c:1561)
==17576== by 0x123484: wasm_loader_prepare_bytecode (wasm_loader.c:2374)
==17576== by 0x120BA5: load_from_sections (wasm_loader.c:1189)
==17576== by 0x121009: load (wasm_loader.c:1388)
==17576== by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==17576== by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==17576== by 0x10C02C: main (main.c:196)
==17576== Address 0x3b3000 is not stack'd, malloc'd or (recently) free'd
==17576==
==17576==
==17576== Process terminating with default action of signal 11 (SIGSEGV)
==17576== Access not within mapped region at address 0x3B3000
==17576== at 0x1215F1: wasm_loader_find_block_addr (wasm_loader.c:1561)
==17576== by 0x123484: wasm_loader_prepare_bytecode (wasm_loader.c:2374)
==17576== by 0x120BA5: load_from_sections (wasm_loader.c:1189)
==17576== by 0x121009: load (wasm_loader.c:1388)
==17576== by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==17576== by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==17576== by 0x10C02C: main (main.c:196)
==17576== If you believe this happened as a result of a stack
==17576== overflow in your program's main thread (unlikely but
==17576== possible), you can try to increase the size of the
==17576== main thread stack using the --main-stacksize= flag.
==17576== The main thread stack size used in this run was 8388608.
==17576==
==17576== HEAP SUMMARY:
==17576== in use at exit: 0 bytes in 0 blocks
==17576== total heap usage: 1 allocs, 1 frees, 1,024 bytes allocated
==17576==
==17576== All heap blocks were freed -- no leaks are possible
==17576==
==17576== For counts of detected and suppressed errors, rerun with: -v
==17576== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 17576 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1144)
case: WASM_OP_I32_LOAD8_S
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[CE249740]: WASM loader find block addr failed: invalid opcode c1.
[1] 30370 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[F7FCC740]: WASM loader find block addr failed: invalid opcode c1.
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x555555781104 --> 0x7f0300000002
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x30b95623
RIP: 0x555555561d51 (<wasm_interp_call_func_bytecode+10514>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x3
R9 : 0x7fffffffd1d0 --> 0x55555577f17d --> 0x6e0417000b00200b
R10: 0x2
R11: 0x246
R12: 0x55555577f165 --> 0xd8bc85e44100c1
R13: 0x5555557810fc --> 0x100000000
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555561d3f <wasm_interp_call_func_bytecode+10496>: jbe 0x555555561dcd <wasm_interp_call_func_bytecode+10638>
0x555555561d45 <wasm_interp_call_func_bytecode+10502>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x555555561d4a <wasm_interp_call_func_bytecode+10507>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x555555561d51 <wasm_interp_call_func_bytecode+10514>: mov rdx,QWORD PTR [rax+0x18]
0x555555561d55 <wasm_interp_call_func_bytecode+10518>: mov ecx,DWORD PTR [rbp-0x5a4]
0x555555561d5b <wasm_interp_call_func_bytecode+10524>: mov rax,QWORD PTR [rbp-0x4e8]
0x555555561d62 <wasm_interp_call_func_bytecode+10531>: mov eax,DWORD PTR [rax+0x30]
0x555555561d65 <wasm_interp_call_func_bytecode+10534>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x30b95623
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0xc55555577503
0040| 0x7fffffffce08 --> 0x1407f2c68
0048| 0x7fffffffce10 --> 0x7ffff780e760 --> 0x0
0056| 0x7fffffffce18 --> 0xd000000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555561d51 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1144
1144 DEF_OP_LOAD(PUSH_I32(sign_ext_8_32(*(int8*)maddr)));
#0 0x0000555555561d51 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1144
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==30353== Memcheck, a memory error detector
==30353== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30353== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==30353== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555561de2/PoC.wasm
==30353==
[404FB80]: WASM loader find block addr failed: invalid opcode c1.
==30353== Invalid read of size 8
==30353== at 0x115D51: wasm_interp_call_func_bytecode (wasm_interp.c:1144)
==30353== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==30353== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==30353== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==30353== by 0x10BAD7: app_instance_main (main.c:54)
==30353== by 0x10C0EA: main (main.c:217)
==30353== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==30353==
==30353==
==30353== Process terminating with default action of signal 11 (SIGSEGV)
==30353== Access not within mapped region at address 0x18
==30353== at 0x115D51: wasm_interp_call_func_bytecode (wasm_interp.c:1144)
==30353== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==30353== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==30353== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==30353== by 0x10BAD7: app_instance_main (main.c:54)
==30353== by 0x10C0EA: main (main.c:217)
==30353== If you believe this happened as a result of a stack
==30353== overflow in your program's main thread (unlikely but
==30353== possible), you can try to increase the size of the
==30353== main thread stack using the --main-stacksize= flag.
==30353== The main thread stack size used in this run was 8388608.
==30353==
==30353== HEAP SUMMARY:
==30353== in use at exit: 0 bytes in 0 blocks
==30353== total heap usage: 1 allocs, 1 frees, 1,024 bytes allocated
==30353==
==30353== All heap blocks were freed -- no leaks are possible
==30353==
==30353== For counts of detected and suppressed errors, rerun with: -v
==30353== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 30353 segmentation fault valgrind ./iwasm
WASM does not support irreducible CFG, which may be produced in the basic block representation for some languages/compilers. AFAIK, irreducible CFG must be removed using the relooper algorithm (or similar) before WASM is generated. According to some sources [1] it seems that this was a design decision motivated by JS JIT engines (V8, etc.). WASM is a cool idea but it looks like a refurbished syntactic variant ASM-JS rather than the promised universal binary format. I wonder if there is any hope that projects like yours can push WASM design further or support alternative proposals like Microwasm [1] (which IMHO looks better from a compiler designer perspective).
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1214)
case: WASM_OP_F64_STORE
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 9250 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5555557810d8 --> 0x5555 ('UU')
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x5555555639da (<wasm_interp_call_func_bytecode+17819>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x1
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008
R10: 0x0
R11: 0x246
R12: 0x55555577f161 --> 0xe44100c141034102
R13: 0x5555557810fc --> 0x7f03
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5555555639c8 <wasm_interp_call_func_bytecode+17801>: jbe 0x555555563a56 <wasm_interp_call_func_bytecode+17943>
0x5555555639ce <wasm_interp_call_func_bytecode+17807>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x5555555639d3 <wasm_interp_call_func_bytecode+17812>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555639da <wasm_interp_call_func_bytecode+17819>: mov rdx,QWORD PTR [rax+0x18]
0x5555555639de <wasm_interp_call_func_bytecode+17823>: mov ecx,DWORD PTR [rbp-0x678]
0x5555555639e4 <wasm_interp_call_func_bytecode+17829>: mov rax,QWORD PTR [rbp-0x4e8]
0x5555555639eb <wasm_interp_call_func_bytecode+17836>: mov eax,DWORD PTR [rax+0x30]
0x5555555639ee <wasm_interp_call_func_bytecode+17839>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0xc50000019000
0040| 0x7fffffffce08 --> 0x1007f3901
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555639da in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1214
1214 CHECK_MEMORY_OVERFLOW();
#0 0x00005555555639da in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1214
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==9227== Memcheck, a memory error detector
==9227== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==9227== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==9227== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555563a6b/PoC.wasm
==9227==
==9227== Invalid read of size 8
==9227== at 0x1179DA: wasm_interp_call_func_bytecode (wasm_interp.c:1214)
==9227== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==9227== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==9227== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==9227== by 0x10BAD7: app_instance_main (main.c:54)
==9227== by 0x10C0EA: main (main.c:217)
==9227== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==9227==
==9227==
==9227== Process terminating with default action of signal 11 (SIGSEGV)
==9227== Access not within mapped region at address 0x18
==9227== at 0x1179DA: wasm_interp_call_func_bytecode (wasm_interp.c:1214)
==9227== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==9227== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==9227== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==9227== by 0x10BAD7: app_instance_main (main.c:54)
==9227== by 0x10C0EA: main (main.c:217)
==9227== If you believe this happened as a result of a stack
==9227== overflow in your program's main thread (unlikely but
==9227== possible), you can try to increase the size of the
==9227== main thread stack using the --main-stacksize= flag.
==9227== The main thread stack size used in this run was 8388608.
==9227==
==9227== HEAP SUMMARY:
==9227== in use at exit: 0 bytes in 0 blocks
==9227== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==9227==
==9227== All heap blocks were freed -- no leaks are possible
==9227==
==9227== For counts of detected and suppressed errors, rerun with: -v
==9227== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 9227 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_runtime_get_func_code_end (wasm_runtime.h:221)
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 31428 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x50000000000000 ('')
RBX: 0x5555557835b0 --> 0x3
RCX: 0x0
RDX: 0x5555557834e4 --> 0x555555783490 --> 0x0
RSI: 0x5555557834e4 --> 0x555555783490 --> 0x0
RDI: 0x50000000000000 ('')
RBP: 0x7fffffffcd60 --> 0x7fffffffd650 --> 0x7fffffffd740 --> 0x7fffffffd790 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 (--> ...)
RSP: 0x7fffffffcd60 --> 0x7fffffffd650 --> 0x7fffffffd740 --> 0x7fffffffd790 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 (--> ...)
RIP: 0x55555555e9ac (<wasm_runtime_get_func_code_end+12>: movzx eax,BYTE PTR [rax])
R8 : 0x0
R9 : 0x7fffffffd910 --> 0x7ffff7ffa268 (add BYTE PTR ss:[rax],al)
R10: 0x0
R11: 0x246
R12: 0x55555577f220 --> 0xa00018b800000b0b
R13: 0x5555557835b0 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x55555555e9a1 <wasm_runtime_get_func_code_end+1>: mov rbp,rsp
0x55555555e9a4 <wasm_runtime_get_func_code_end+4>: mov QWORD PTR [rbp-0x8],rdi
0x55555555e9a8 <wasm_runtime_get_func_code_end+8>: mov rax,QWORD PTR [rbp-0x8]
=> 0x55555555e9ac <wasm_runtime_get_func_code_end+12>: movzx eax,BYTE PTR [rax]
0x55555555e9af <wasm_runtime_get_func_code_end+15>: test al,al
0x55555555e9b1 <wasm_runtime_get_func_code_end+17>: je 0x55555555e9ba <wasm_runtime_get_func_code_end+26>
0x55555555e9b3 <wasm_runtime_get_func_code_end+19>: mov eax,0x0
0x55555555e9b8 <wasm_runtime_get_func_code_end+24>: jmp 0x55555555e9d6 <wasm_runtime_get_func_code_end+54>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd60 --> 0x7fffffffd650 --> 0x7fffffffd740 --> 0x7fffffffd790 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 (--> ...)
0008| 0x7fffffffcd68 --> 0x55555556829d (<wasm_interp_call_func_bytecode+36446>: mov QWORD PTR [rbp-0x4d0],rax)
0016| 0x7fffffffcd70 --> 0x0
0024| 0x7fffffffcd78 --> 0x555555783490 --> 0x0
0032| 0x7fffffffcd80 --> 0x50000000000000 ('')
0040| 0x7fffffffcd88 --> 0x5555557813d8 --> 0x0
0048| 0x7fffffffcd90 --> 0xc500003ec860
0056| 0x7fffffffcd98 --> 0x100000ae0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555555e9ac in wasm_runtime_get_func_code_end (func=0x50000000000000) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.h:221
221 return func->is_import_func
#0 0x000055555555e9ac in wasm_runtime_get_func_code_end (func=0x50000000000000) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.h:221
#1 0x000055555556829d in wasm_interp_call_func_bytecode (self=0x5555557813d8 <global_heap_buf+9528>, cur_func=0x50000000000000, prev_frame=0x555555783490 <global_heap_buf+17904>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2094
#2 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780f30 <global_heap_buf+8336>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#3 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x5555557812d8 <global_heap_buf+9272>, exec_env=0x0, function=0x555555780f30 <global_heap_buf+8336>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#4 0x000055555555a946 in execute_post_inst_function (module_inst=0x5555557812d8 <global_heap_buf+9272>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:707
#5 0x000055555555b554 in wasm_runtime_instantiate (module=0x55555577f228 <global_heap_buf+904>, stack_size=0x4000, heap_size=0x2000, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:950
#6 0x000055555555807b in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:203
#7 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#8 0x000055555555798a in _start ()
Valgrind
==31417== Memcheck, a memory error detector
==31417== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==31417== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==31417== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555555ea3d/PoC.wasm
==31417==
==31417== Invalid read of size 1
==31417== at 0x1129AC: wasm_runtime_get_func_code_end (wasm_runtime.h:221)
==31417== by 0x11C29C: wasm_interp_call_func_bytecode (wasm_interp.c:2094)
==31417== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==31417== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==31417== by 0x10E945: execute_post_inst_function (wasm_runtime.c:707)
==31417== by 0x10F553: wasm_runtime_instantiate (wasm_runtime.c:950)
==31417== by 0x10C07A: main (main.c:203)
==31417== Address 0x50000000000001 is not stack'd, malloc'd or (recently) free'd
==31417==
==31417==
==31417== Process terminating with default action of signal 11 (SIGSEGV)
==31417== General Protection Fault
==31417== at 0x1129AC: wasm_runtime_get_func_code_end (wasm_runtime.h:221)
==31417== by 0x11C29C: wasm_interp_call_func_bytecode (wasm_interp.c:2094)
==31417== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==31417== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==31417== by 0x10E945: execute_post_inst_function (wasm_runtime.c:707)
==31417== by 0x10F553: wasm_runtime_instantiate (wasm_runtime.c:950)
==31417== by 0x10C07A: main (main.c:203)
==31417==
==31417== HEAP SUMMARY:
==31417== in use at exit: 0 bytes in 0 blocks
==31417== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==31417==
==31417== All heap blocks were freed -- no leaks are possible
==31417==
==31417== For counts of detected and suppressed errors, rerun with: -v
==31417== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 31417 segmentation fault valgrind ./iwasm
I put together a simple Dockerfile
so that I can easily develop on my macOS machine, found here: https://github.com/beriberikix/wamr-docker
Is there any interest in including it? I added the test.c
from the README
since it isn't in the main repo, but can easily remove it before merging.
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1148)
case: WASM_OP_I32_LOAD8_U
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 15091 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x555555781264 --> 0x0
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd660 --> 0x7fffffffd750 --> 0x7fffffffd7a0 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcd80 --> 0x3e7000 ('')
RIP: 0x555555561f7b (<wasm_interp_call_func_bytecode+11068>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x0
R9 : 0x7fffffffd684 --> 0x55780dc000000000
R10: 0x0
R11: 0x246
R12: 0x55555577f174 --> 0x80b00003a6a0141
R13: 0x555555781260 --> 0x0
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555561f69 <wasm_interp_call_func_bytecode+11050>: jbe 0x555555561ff7 <wasm_interp_call_func_bytecode+11192>
0x555555561f6f <wasm_interp_call_func_bytecode+11056>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x555555561f74 <wasm_interp_call_func_bytecode+11061>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x555555561f7b <wasm_interp_call_func_bytecode+11068>: mov rdx,QWORD PTR [rax+0x18]
0x555555561f7f <wasm_interp_call_func_bytecode+11072>: mov ecx,DWORD PTR [rbp-0x5b4]
0x555555561f85 <wasm_interp_call_func_bytecode+11078>: mov rax,QWORD PTR [rbp-0x4e8]
0x555555561f8c <wasm_interp_call_func_bytecode+11085>: mov eax,DWORD PTR [rax+0x30]
0x555555561f8f <wasm_interp_call_func_bytecode+11088>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd80 --> 0x3e7000 ('')
0008| 0x7fffffffcd88 --> 0x555555781194 --> 0x555555781140 --> 0x0
0016| 0x7fffffffcd90 --> 0x555555780d90 --> 0x0
0024| 0x7fffffffcd98 --> 0x5555557810e8 --> 0x0
0032| 0x7fffffffcda0 --> 0xc500001e7000
0040| 0x7fffffffcda8 --> 0x100002d03
0048| 0x7fffffffcdb0 --> 0x0
0056| 0x7fffffffcdb8 --> 0x9400000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555561f7b in wasm_interp_call_func_bytecode (self=0x5555557810e8 <global_heap_buf+8776>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781194 <global_heap_buf+8948>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1148
1148 DEF_OP_LOAD(PUSH_I32((uint32)(*(uint8*)maddr)));
#0 0x0000555555561f7b in wasm_interp_call_func_bytecode (self=0x5555557810e8 <global_heap_buf+8776>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781194 <global_heap_buf+8948>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1148
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780dc0 <global_heap_buf+7968>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780fe8 <global_heap_buf+8520>, exec_env=0x0, function=0x555555780dc0 <global_heap_buf+7968>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x000055555555a9d5 in execute_start_function (module_inst=0x555555780fe8 <global_heap_buf+8520>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:721
#4 0x000055555555b596 in wasm_runtime_instantiate (module=0x55555577f1a0 <global_heap_buf+768>, stack_size=0x4000, heap_size=0x2000, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:958
#5 0x000055555555807b in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:203
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==15088== Memcheck, a memory error detector
==15088== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==15088== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==15088== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556200c/PoC.wasm
==15088==
==15088== Invalid read of size 8
==15088== at 0x115F7B: wasm_interp_call_func_bytecode (wasm_interp.c:1148)
==15088== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==15088== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==15088== by 0x10E9D4: execute_start_function (wasm_runtime.c:721)
==15088== by 0x10F595: wasm_runtime_instantiate (wasm_runtime.c:958)
==15088== by 0x10C07A: main (main.c:203)
==15088== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==15088==
==15088==
==15088== Process terminating with default action of signal 11 (SIGSEGV)
==15088== Access not within mapped region at address 0x18
==15088== at 0x115F7B: wasm_interp_call_func_bytecode (wasm_interp.c:1148)
==15088== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==15088== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==15088== by 0x10E9D4: execute_start_function (wasm_runtime.c:721)
==15088== by 0x10F595: wasm_runtime_instantiate (wasm_runtime.c:958)
==15088== by 0x10C07A: main (main.c:203)
==15088== If you believe this happened as a result of a stack
==15088== overflow in your program's main thread (unlikely but
==15088== possible), you can try to increase the size of the
==15088== main thread stack using the --main-stacksize= flag.
==15088== The main thread stack size used in this run was 8388608.
==15088==
==15088== HEAP SUMMARY:
==15088== in use at exit: 0 bytes in 0 blocks
==15088== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==15088==
==15088== All heap blocks were freed -- no leaks are possible
==15088==
==15088== For counts of detected and suppressed errors, rerun with: -v
==15088== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 15088 segmentation fault valgrind ./iwasm
emscripten is basically llvm + a runtime lib for browser
if this project already provides the runtime then there is no need for emscripten in the toolchain
furthermore, the latest llvm already provides some improvements in this regard
I was able to do this some time ago (compile a minimal .wasm program with only llvm) but it was a very tricky endeavour so if other developers want to achieve the same thing they would have to walk through stones to accomplish it
so, a working an example and pipeline for compiling without emscripten would be a nice addition to this repository
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Assertion failed in wasm_interp_call_func_bytecode (wasm_interp.c:849)
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
iwasm: XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:849: wasm_interp_call_func_bytecode: Assertion `frame_csp - depth + 1 >= frame->csp_bottom' failed.
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Null pointer dereference in wasm_interp_call_func_bytecode (wasm_interp.c:843)
case: WASM_OP_BR
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 3230 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x0
RDX: 0x48 ('H')
RSI: 0x7fffffffce0c --> 0x400000001
RDI: 0x55555577f179 ("Hello World")
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x55555555fdc4 (<wasm_interp_call_func_bytecode+2437>: movzx eax,BYTE PTR [rax])
R8 : 0x0
R9 : 0x7fffffffd910 --> 0x7ffff7ffa268 (add BYTE PTR ss:[rax],al)
R10: 0x0
R11: 0x246
R12: 0x1
R13: 0x55555579320c --> 0x7f03120af410
R14: 0x0
R15: 0x0
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x55555555fdbc <wasm_interp_call_func_bytecode+2429>: nop
0x55555555fdbd <wasm_interp_call_func_bytecode+2430>: mov rax,r12
0x55555555fdc0 <wasm_interp_call_func_bytecode+2433>: lea r12,[rax+0x1]
=> 0x55555555fdc4 <wasm_interp_call_func_bytecode+2437>: movzx eax,BYTE PTR [rax]
0x55555555fdc7 <wasm_interp_call_func_bytecode+2440>: movzx eax,al
0x55555555fdca <wasm_interp_call_func_bytecode+2443>: cdqe
0x55555555fdcc <wasm_interp_call_func_bytecode+2445>: lea rdx,[rax*8+0x0]
0x55555555fdd4 <wasm_interp_call_func_bytecode+2453>: lea rax,[rip+0x21e885] # 0x55555577e660 <handle_table.5444>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555793170 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780db0 --> 0x100000000
0024| 0x7fffffffcdf8 --> 0x5555557810b0 --> 0x0
0032| 0x7fffffffce00 --> 0xc50000019000
0040| 0x7fffffffce08 --> 0x1007f0001
0048| 0x7fffffffce10 --> 0x4800000004
0056| 0x7fffffffce18 --> 0x8c40000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555555fdc4 in wasm_interp_call_func_bytecode (self=0x5555557810b0 <global_heap_buf+8720>, cur_func=0x555555780db0 <global_heap_buf+7952>, prev_frame=0x555555793170 <global_heap_buf+82640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:843
843 HANDLE_OP_END ();
#0 0x000055555555fdc4 in wasm_interp_call_func_bytecode (self=0x5555557810b0 <global_heap_buf+8720>, cur_func=0x555555780db0 <global_heap_buf+7952>, prev_frame=0x555555793170 <global_heap_buf+82640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:843
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780db0 <global_heap_buf+7952>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780fb0 <global_heap_buf+8464>, exec_env=0x0, function=0x555555780db0 <global_heap_buf+7952>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780fb0 <global_heap_buf+8464>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780fb0 <global_heap_buf+8464>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds write in load_function_section (wasm_loader.c:701)
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 27515 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x555555780e90 --> 0x555555780ed8 --> 0x555555780e70 --> 0x100000004
RCX: 0x555555780f08 --> 0x0
RDX: 0x5555557ff000
RSI: 0x55555577f1ac --> 0x2a00018b8
RDI: 0x55555577f1a1 --> 0x20a00220a0012000
RBP: 0x7fffffffd750 --> 0x7fffffffd7d0 --> 0x7fffffffd830 --> 0x7fffffffd870 --> 0x7fffffffd8a0 --> 0x7fffffffd990 (--> ...)
RSP: 0x7fffffffd690 --> 0x7fffffffd900 --> 0x7ffff7ffa268 (add BYTE PTR ss:[rax],al)
RIP: 0x55555556b346 (<load_function_section+1663>: mov BYTE PTR [rdx],al)
R8 : 0x0
R9 : 0x7fffffffd700 --> 0x0
R10: 0x0
R11: 0x246
R12: 0x555555557960 (<_start>: xor ebp,ebp)
R13: 0x7fffffffda70 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x10207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x55555556b339 <load_function_section+1650>: mov eax,eax
0x55555556b33b <load_function_section+1652>: lea rdx,[rcx+rax*1]
0x55555556b33f <load_function_section+1656>: movzx eax,BYTE PTR [rbp-0x85]
=> 0x55555556b346 <load_function_section+1663>: mov BYTE PTR [rdx],al
0x55555556b348 <load_function_section+1665>: add DWORD PTR [rbp-0x78],0x1
0x55555556b34c <load_function_section+1669>: mov eax,DWORD PTR [rbp-0x78]
0x55555556b34f <load_function_section+1672>: cmp eax,DWORD PTR [rbp-0x54]
0x55555556b352 <load_function_section+1675>: jb 0x55555556b328 <load_function_section+1633>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd690 --> 0x7fffffffd900 --> 0x7ffff7ffa268 (add BYTE PTR ss:[rax],al)
0008| 0x7fffffffd698 --> 0x55555577f1b0 --> 0x2
0016| 0x7fffffffd6a0 --> 0x55555577f1ac --> 0x2a00018b8
0024| 0x7fffffffd6a8 --> 0x55555577f18f --> 0x9201200020000902
0032| 0x7fffffffd6b0 --> 0x55555577f158 --> 0x2e32336616023307
0040| 0x7fffffffd6b8 --> 0x55555577f155 --> 0x6616023307010002
0048| 0x7fffffffd6c0 --> 0x7fffffffd760 --> 0x80
0056| 0x7fffffffd6c8 --> 0x100569320
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556b346 in load_function_section (buf=0x55555577f155 <global_heap_buf+693> "\002", buf_end=0x55555577f158 <global_heap_buf+696> "\a3\002\026f32.no_reassociate_add", buf_code=0x55555577f18f <global_heap_buf+751> "\002\t", buf_code_end=0x55555577f1ac <global_heap_buf+780> "\270\030", module=0x55555577f1b0 <global_heap_buf+784>, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:701
701 func->local_types[local_type_index++] = type;
#0 0x000055555556b346 in load_function_section (buf=0x55555577f155 <global_heap_buf+693> "\002", buf_end=0x55555577f158 <global_heap_buf+696> "\a3\002\026f32.no_reassociate_add", buf_code=0x55555577f18f <global_heap_buf+751> "\002\t", buf_code_end=0x55555577f1ac <global_heap_buf+780> "\270\030", module=0x55555577f1b0 <global_heap_buf+784>, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:701
#1 0x000055555556c96a in load_from_sections (module=0x55555577f1b0 <global_heap_buf+784>, sections=0x555555780da0 <global_heap_buf+7936>, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1143
#2 0x000055555556d00a in load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x74, module=0x55555577f1b0 <global_heap_buf+784>, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1388
#3 0x000055555556d124 in wasm_loader_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x74, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1429
#4 0x00005555555594f5 in wasm_runtime_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x74, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:137
#5 0x000055555555802d in main (argc=0x1, argv=0x7fffffffda80) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:196
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda68) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==27508== Memcheck, a memory error detector
==27508== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==27508== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==27508== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556b3d7/PoC.wasm
==27508==
==27508== Invalid write of size 1
==27508== at 0x11F346: load_function_section (wasm_loader.c:701)
==27508== by 0x120969: load_from_sections (wasm_loader.c:1143)
==27508== by 0x121009: load (wasm_loader.c:1388)
==27508== by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==27508== by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==27508== by 0x10C02C: main (main.c:196)
==27508== Address 0x3b3000 is not stack'd, malloc'd or (recently) free'd
==27508==
==27508==
==27508== Process terminating with default action of signal 11 (SIGSEGV)
==27508== Access not within mapped region at address 0x3B3000
==27508== at 0x11F346: load_function_section (wasm_loader.c:701)
==27508== by 0x120969: load_from_sections (wasm_loader.c:1143)
==27508== by 0x121009: load (wasm_loader.c:1388)
==27508== by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==27508== by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==27508== by 0x10C02C: main (main.c:196)
==27508== If you believe this happened as a result of a stack
==27508== overflow in your program's main thread (unlikely but
==27508== possible), you can try to increase the size of the
==27508== main thread stack using the --main-stacksize= flag.
==27508== The main thread stack size used in this run was 8388608.
==27508==
==27508== HEAP SUMMARY:
==27508== in use at exit: 0 bytes in 0 blocks
==27508== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==27508==
==27508== All heap blocks were freed -- no leaks are possible
==27508==
==27508== For counts of detected and suppressed errors, rerun with: -v
==27508== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 27508 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1246)
case: WASM_OP_MEMORY_SIZE
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 18462 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5555557810e4 --> 0x5555557810fc --> 0x7f03
RCX: 0x0
RDX: 0x1
RSI: 0x7fffffffce0c --> 0xffffd0e000000001
RDI: 0x55555577f15f --> 0xc1410341024101
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x5555555645be (<wasm_interp_call_func_bytecode+20863>: mov edx,DWORD PTR [rax])
R8 : 0x0
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008
R10: 0x0
R11: 0x246
R12: 0x55555577f160 --> 0x4100c14103410241
R13: 0x5555557810fc --> 0x7f03
R14: 0x0
R15: 0x0
EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5555555645b2 <wasm_interp_call_func_bytecode+20851>: mov eax,eax
0x5555555645b4 <wasm_interp_call_func_bytecode+20853>: add r12,rax
0x5555555645b7 <wasm_interp_call_func_bytecode+20856>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555645be <wasm_interp_call_func_bytecode+20863>: mov edx,DWORD PTR [rax]
0x5555555645c0 <wasm_interp_call_func_bytecode+20865>: mov rax,rbx
0x5555555645c3 <wasm_interp_call_func_bytecode+20868>: lea rbx,[rax+0x4]
0x5555555645c7 <wasm_interp_call_func_bytecode+20872>: mov DWORD PTR [rax],edx
0x5555555645c9 <wasm_interp_call_func_bytecode+20874>: mov rax,r12
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0xc50000019000
0040| 0x7fffffffce08 --> 0x1007f0001
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555645be in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1246
1246 PUSH_I32(memory->cur_page_count);
#0 0x00005555555645be in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1246
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==18459== Memcheck, a memory error detector
==18459== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==18459== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==18459== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556464f/PoC.wasm
==18459==
==18459== Invalid read of size 4
==18459== at 0x1185BE: wasm_interp_call_func_bytecode (wasm_interp.c:1246)
==18459== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==18459== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==18459== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==18459== by 0x10BAD7: app_instance_main (main.c:54)
==18459== by 0x10C0EA: main (main.c:217)
==18459== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==18459==
==18459==
==18459== Process terminating with default action of signal 11 (SIGSEGV)
==18459== Access not within mapped region at address 0x0
==18459== at 0x1185BE: wasm_interp_call_func_bytecode (wasm_interp.c:1246)
==18459== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==18459== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==18459== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==18459== by 0x10BAD7: app_instance_main (main.c:54)
==18459== by 0x10C0EA: main (main.c:217)
==18459== If you believe this happened as a result of a stack
==18459== overflow in your program's main thread (unlikely but
==18459== possible), you can try to increase the size of the
==18459== main thread stack using the --main-stacksize= flag.
==18459== The main thread stack size used in this run was 8388608.
==18459==
==18459== HEAP SUMMARY:
==18459== in use at exit: 0 bytes in 0 blocks
==18459== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==18459==
==18459== All heap blocks were freed -- no leaks are possible
==18459==
==18459== For counts of detected and suppressed errors, rerun with: -v
==18459== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 18459 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Null pointer dereference in wasm_interp_call_func_bytecode (wasm_interp.c:876)
case: WASM_OP_BR_TABLE
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 32279 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x5555557fee9c --> 0x100000000
RDX: 0x61 ('a')
RSI: 0x0
RDI: 0x55555577eeb8 --> 0x0
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x55555556031f (<wasm_interp_call_func_bytecode+3808>: movzx eax,BYTE PTR [rax])
R8 : 0x0
R9 : 0x7fffffffd1d0 --> 0x55555577f177 --> 0x430bc0c0c000210b
R10: 0x0
R11: 0x246
R12: 0x1
R13: 0x5555557810fc --> 0x17000b0000000042
R14: 0x0
R15: 0x0
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555560317 <wasm_interp_call_func_bytecode+3800>: nop
0x555555560318 <wasm_interp_call_func_bytecode+3801>: mov rax,r12
0x55555556031b <wasm_interp_call_func_bytecode+3804>: lea r12,[rax+0x1]
=> 0x55555556031f <wasm_interp_call_func_bytecode+3808>: movzx eax,BYTE PTR [rax]
0x555555560322 <wasm_interp_call_func_bytecode+3811>: movzx eax,al
0x555555560325 <wasm_interp_call_func_bytecode+3814>: cdqe
0x555555560327 <wasm_interp_call_func_bytecode+3816>: lea rdx,[rax*8+0x0]
0x55555556032f <wasm_interp_call_func_bytecode+3824>: lea rax,[rip+0x21e32a] # 0x55555577e660 <handle_table.5444>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0x7f00c50000019000
0040| 0x7fffffffce08 --> 0x17f7f0001
0048| 0x7fffffffce10 --> 0x610000006d ('m')
0056| 0x7fffffffce18 --> 0x11c00000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556031f in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:876
876 HANDLE_OP_END ();
#0 0x000055555556031f in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:876
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==32262== Memcheck, a memory error detector
==32262== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==32262== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==32262== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x5555555603b0/PoC.wasm
==32262==
==32262== Invalid read of size 1
==32262== at 0x11431F: wasm_interp_call_func_bytecode (wasm_interp.c:876)
==32262== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==32262== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==32262== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==32262== by 0x10BAD7: app_instance_main (main.c:54)
==32262== by 0x10C0EA: main (main.c:217)
==32262== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==32262==
==32262==
==32262== Process terminating with default action of signal 11 (SIGSEGV)
==32262== Access not within mapped region at address 0x0
==32262== at 0x11431F: wasm_interp_call_func_bytecode (wasm_interp.c:876)
==32262== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==32262== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==32262== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==32262== by 0x10BAD7: app_instance_main (main.c:54)
==32262== by 0x10C0EA: main (main.c:217)
==32262== If you believe this happened as a result of a stack
==32262== overflow in your program's main thread (unlikely but
==32262== possible), you can try to increase the size of the
==32262== main thread stack using the --main-stacksize= flag.
==32262== The main thread stack size used in this run was 8388608.
==32262==
==32262== HEAP SUMMARY:
==32262== in use at exit: 0 bytes in 0 blocks
==32262== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==32262==
==32262== All heap blocks were freed -- no leaks are possible
==32262==
==32262== For counts of detected and suppressed errors, rerun with: -v
==32262== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 32262 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1136)
case: WASM_OP_F32_LOAD
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 29148 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x555555781104 --> 0x300000001
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x5555555618f0 (<wasm_interp_call_func_bytecode+9393>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x1a
R9 : 0x7fffffffd1d0 --> 0x55555577f177 --> 0x200b1a2a4800210b
R10: 0x0
R11: 0x246
R12: 0x55555577f17e --> 0x616e0417000b0020
R13: 0x5555557810fc --> 0x100000042
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5555555618de <wasm_interp_call_func_bytecode+9375>: jbe 0x55555556196c <wasm_interp_call_func_bytecode+9517>
0x5555555618e4 <wasm_interp_call_func_bytecode+9381>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x5555555618e9 <wasm_interp_call_func_bytecode+9386>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555618f0 <wasm_interp_call_func_bytecode+9393>: mov rdx,QWORD PTR [rax+0x18]
0x5555555618f4 <wasm_interp_call_func_bytecode+9397>: mov ecx,DWORD PTR [rbp-0x584]
0x5555555618fa <wasm_interp_call_func_bytecode+9403>: mov rax,QWORD PTR [rbp-0x4e8]
0x555555561901 <wasm_interp_call_func_bytecode+9410>: mov eax,DWORD PTR [rax+0x30]
0x555555561904 <wasm_interp_call_func_bytecode+9413>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0x7f00c50000019000
0040| 0x7fffffffce08 --> 0x17f7f2a01
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x11c00000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555618f0 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1136
1136 DEF_OP_LOAD(PUSH_F32(*(float32*)maddr));
#0 0x00005555555618f0 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1136
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==29146== Memcheck, a memory error detector
==29146== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==29146== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==29146== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555561981/PoC.wasm
==29146==
==29146== Invalid read of size 8
==29146== at 0x1158F0: wasm_interp_call_func_bytecode (wasm_interp.c:1136)
==29146== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==29146== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==29146== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==29146== by 0x10BAD7: app_instance_main (main.c:54)
==29146== by 0x10C0EA: main (main.c:217)
==29146== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==29146==
==29146==
==29146== Process terminating with default action of signal 11 (SIGSEGV)
==29146== Access not within mapped region at address 0x18
==29146== at 0x1158F0: wasm_interp_call_func_bytecode (wasm_interp.c:1136)
==29146== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==29146== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==29146== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==29146== by 0x10BAD7: app_instance_main (main.c:54)
==29146== by 0x10C0EA: main (main.c:217)
==29146== If you believe this happened as a result of a stack
==29146== overflow in your program's main thread (unlikely but
==29146== possible), you can try to increase the size of the
==29146== main thread stack using the --main-stacksize= flag.
==29146== The main thread stack size used in this run was 8388608.
==29146==
==29146== HEAP SUMMARY:
==29146== in use at exit: 0 bytes in 0 blocks
==29146== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==29146==
==29146== All heap blocks were freed -- no leaks are possible
==29146==
==29146== For counts of detected and suppressed errors, rerun with: -v
==29146== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 29146 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:906)
case: WASM_OP_CALL_INDIRECT
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 32292 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x555555793364 --> 0x300000000
RCX: 0x0
RDX: 0x0
RSI: 0x7fffffffcdac --> 0x1
RDI: 0x55555577f178 --> 0x2d004100080b0000
RBP: 0x7fffffffd660 --> 0x7fffffffd750 --> 0x7fffffffd7a0 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcd80 --> 0x3e7000 ('')
RIP: 0x5555555604f3 (<wasm_interp_call_func_bytecode+4276>: mov eax,DWORD PTR [rax+0x4])
R8 : 0x1
R9 : 0x7fffffffd910 --> 0x7ffff7ffa268 (add BYTE PTR ss:[rax],al)
R10: 0x0
R11: 0x246
R12: 0x55555577f17a --> 0x2d004100080b
R13: 0x555555793360 --> 0x0
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5555555604e3 <wasm_interp_call_func_bytecode+4260>: cmp DWORD PTR [rbp-0x50c],0x0
0x5555555604ea <wasm_interp_call_func_bytecode+4267>: js 0x5555555604fe <wasm_interp_call_func_bytecode+4287>
0x5555555604ec <wasm_interp_call_func_bytecode+4269>: mov rax,QWORD PTR [rbp-0x498]
=> 0x5555555604f3 <wasm_interp_call_func_bytecode+4276>: mov eax,DWORD PTR [rax+0x4]
0x5555555604f6 <wasm_interp_call_func_bytecode+4279>: cmp DWORD PTR [rbp-0x50c],eax
0x5555555604fc <wasm_interp_call_func_bytecode+4285>: jl 0x555555560519 <wasm_interp_call_func_bytecode+4314>
0x5555555604fe <wasm_interp_call_func_bytecode+4287>: mov rax,QWORD PTR [rbp-0x4a0]
0x555555560505 <wasm_interp_call_func_bytecode+4294>: lea rsi,[rip+0x1883d] # 0x555555578d49
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd80 --> 0x3e7000 ('')
0008| 0x7fffffffcd88 --> 0x555555793294 --> 0x555555793240 --> 0x0
0016| 0x7fffffffcd90 --> 0x555555780da0 --> 0x0
0024| 0x7fffffffcd98 --> 0x555555781180 --> 0x0
0032| 0x7fffffffcda0 --> 0xc500001e7000
0040| 0x7fffffffcda8 --> 0x100002803
0048| 0x7fffffffcdb0 --> 0x0
0056| 0x7fffffffcdb8 --> 0x9040000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555604f3 in wasm_interp_call_func_bytecode (self=0x555555781180 <global_heap_buf+8928>, cur_func=0x555555780da0 <global_heap_buf+7936>, prev_frame=0x555555793294 <global_heap_buf+82932>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:906
906 if (val < 0 || val >= (int32)table->cur_size) {
#0 0x00005555555604f3 in wasm_interp_call_func_bytecode (self=0x555555781180 <global_heap_buf+8928>, cur_func=0x555555780da0 <global_heap_buf+7936>, prev_frame=0x555555793294 <global_heap_buf+82932>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:906
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780dd0 <global_heap_buf+7984>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555781080 <global_heap_buf+8672>, exec_env=0x0, function=0x555555780dd0 <global_heap_buf+7984>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x000055555555a9d5 in execute_start_function (module_inst=0x555555781080 <global_heap_buf+8672>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:721
#4 0x000055555555b596 in wasm_runtime_instantiate (module=0x55555577f1a0 <global_heap_buf+768>, stack_size=0x4000, heap_size=0x2000, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:958
#5 0x000055555555807b in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:203
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==32277== Memcheck, a memory error detector
==32277== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==32277== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==32277== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555560584/PoC.wasm
==32277==
==32277== Invalid read of size 4
==32277== at 0x1144F3: wasm_interp_call_func_bytecode (wasm_interp.c:906)
==32277== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==32277== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==32277== by 0x10E9D4: execute_start_function (wasm_runtime.c:721)
==32277== by 0x10F595: wasm_runtime_instantiate (wasm_runtime.c:958)
==32277== by 0x10C07A: main (main.c:203)
==32277== Address 0x4 is not stack'd, malloc'd or (recently) free'd
==32277==
==32277==
==32277== Process terminating with default action of signal 11 (SIGSEGV)
==32277== Access not within mapped region at address 0x4
==32277== at 0x1144F3: wasm_interp_call_func_bytecode (wasm_interp.c:906)
==32277== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==32277== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==32277== by 0x10E9D4: execute_start_function (wasm_runtime.c:721)
==32277== by 0x10F595: wasm_runtime_instantiate (wasm_runtime.c:958)
==32277== by 0x10C07A: main (main.c:203)
==32277== If you believe this happened as a result of a stack
==32277== overflow in your program's main thread (unlikely but
==32277== possible), you can try to increase the size of the
==32277== main thread stack using the --main-stacksize= flag.
==32277== The main thread stack size used in this run was 8388608.
==32277==
==32277== HEAP SUMMARY:
==32277== in use at exit: 0 bytes in 0 blocks
==32277== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==32277==
==32277== All heap blocks were freed -- no leaks are possible
==32277==
==32277== For counts of detected and suppressed errors, rerun with: -v
==32277== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 32277 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1185)
case: WASM_OP_GET_GLOBAL/VALUE_TYPE_F64
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 425 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5555557810fc --> 0x17000b0000000042
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x555555563350 (<wasm_interp_call_func_bytecode+16145>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x6e ('n')
R9 : 0x7fffffffd1d0 --> 0x55555577f177 --> 0x430bc0c0c000210b
R10: 0x0
R11: 0x246
R12: 0x55555577f186 --> 0x6d0400010701656d
R13: 0x5555557810fc --> 0x17000b0000000042
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x55555556333e <wasm_interp_call_func_bytecode+16127>: jbe 0x5555555633cc <wasm_interp_call_func_bytecode+16269>
0x555555563344 <wasm_interp_call_func_bytecode+16133>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x555555563349 <wasm_interp_call_func_bytecode+16138>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x555555563350 <wasm_interp_call_func_bytecode+16145>: mov rdx,QWORD PTR [rax+0x18]
0x555555563354 <wasm_interp_call_func_bytecode+16149>: mov ecx,DWORD PTR [rbp-0x644]
0x55555556335a <wasm_interp_call_func_bytecode+16155>: mov rax,QWORD PTR [rbp-0x4e8]
0x555555563361 <wasm_interp_call_func_bytecode+16162>: mov eax,DWORD PTR [rax+0x30]
0x555555563364 <wasm_interp_call_func_bytecode+16165>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0x7f00c50000019000
0040| 0x7fffffffce08 --> 0x17f7f3601
0048| 0x7fffffffce10 --> 0x7fff00000004
0056| 0x7fffffffce18 --> 0x11c00000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555563350 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1185
1185 DEF_OP_STORE(uint32, I32, *(int32*)maddr = sval);
#0 0x0000555555563350 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1185
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==411== Memcheck, a memory error detector
==411== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==411== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==411== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x5555555633e1/PoC.wasm
==411==
==411== Invalid read of size 8
==411== at 0x117350: wasm_interp_call_func_bytecode (wasm_interp.c:1185)
==411== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==411== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==411== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==411== by 0x10BAD7: app_instance_main (main.c:54)
==411== by 0x10C0EA: main (main.c:217)
==411== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==411==
==411==
==411== Process terminating with default action of signal 11 (SIGSEGV)
==411== Access not within mapped region at address 0x18
==411== at 0x117350: wasm_interp_call_func_bytecode (wasm_interp.c:1185)
==411== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==411== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==411== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==411== by 0x10BAD7: app_instance_main (main.c:54)
==411== by 0x10C0EA: main (main.c:217)
==411== If you believe this happened as a result of a stack
==411== overflow in your program's main thread (unlikely but
==411== possible), you can try to increase the size of the
==411== main thread stack using the --main-stacksize= flag.
==411== The main thread stack size used in this run was 8388608.
==411==
==411== HEAP SUMMARY:
==411== in use at exit: 0 bytes in 0 blocks
==411== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==411==
==411== All heap blocks were freed -- no leaks are possible
==411==
==411== For counts of detected and suppressed errors, rerun with: -v
==411== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 411 segmentation fault valgrind ./iwasm
This question is from the sample wasm-micro-runtime/samples/simple/wasm-apps/connection.c.
There is no iwasm/products/linux/bin directory, iwasm directory is iwasm/products/linux/build/iwasm.
This is inconsistent with the description in the readme documentation:
cd iwasm/products/linux/bin
./iwasm test.wasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1200)
case: WASM_OP_F32_STORE / CHECK_MEMORY_OVERFLOW();
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 28378 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5555557810fc --> 0x17000b0000000042
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x5555555637be (<wasm_interp_call_func_bytecode+17279>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x6e ('n')
R9 : 0x7fffffffd1d0 --> 0x55555577f177 --> 0x430bc0c0c000210b
R10: 0x0
R11: 0x246
R12: 0x55555577f186 --> 0x6d0400010701656d
R13: 0x5555557810fc --> 0x17000b0000000042
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5555555637ac <wasm_interp_call_func_bytecode+17261>: jbe 0x55555556383a <wasm_interp_call_func_bytecode+17403>
0x5555555637b2 <wasm_interp_call_func_bytecode+17267>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x5555555637b7 <wasm_interp_call_func_bytecode+17272>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555637be <wasm_interp_call_func_bytecode+17279>: mov rdx,QWORD PTR [rax+0x18]
0x5555555637c2 <wasm_interp_call_func_bytecode+17283>: mov ecx,DWORD PTR [rbp-0x668]
0x5555555637c8 <wasm_interp_call_func_bytecode+17289>: mov rax,QWORD PTR [rbp-0x4e8]
0x5555555637cf <wasm_interp_call_func_bytecode+17296>: mov eax,DWORD PTR [rax+0x30]
0x5555555637d2 <wasm_interp_call_func_bytecode+17299>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0x7f00c50000019000
0040| 0x7fffffffce08 --> 0x17f7f3801
0048| 0x7fffffffce10 --> 0x7fff00000004
0056| 0x7fffffffce18 --> 0x11c00000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555637be in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1200
1200 CHECK_MEMORY_OVERFLOW();
#0 0x00005555555637be in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1200
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==28367== Memcheck, a memory error detector
==28367== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==28367== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==28367== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556384f/PoC.wasm
==28367==
==28367== Invalid read of size 8
==28367== at 0x1177BE: wasm_interp_call_func_bytecode (wasm_interp.c:1200)
==28367== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==28367== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==28367== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==28367== by 0x10BAD7: app_instance_main (main.c:54)
==28367== by 0x10C0EA: main (main.c:217)
==28367== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==28367==
==28367==
==28367== Process terminating with default action of signal 11 (SIGSEGV)
==28367== Access not within mapped region at address 0x18
==28367== at 0x1177BE: wasm_interp_call_func_bytecode (wasm_interp.c:1200)
==28367== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==28367== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==28367== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==28367== by 0x10BAD7: app_instance_main (main.c:54)
==28367== by 0x10C0EA: main (main.c:217)
==28367== If you believe this happened as a result of a stack
==28367== overflow in your program's main thread (unlikely but
==28367== possible), you can try to increase the size of the
==28367== main thread stack using the --main-stacksize= flag.
==28367== The main thread stack size used in this run was 8388608.
==28367==
==28367== HEAP SUMMARY:
==28367== in use at exit: 0 bytes in 0 blocks
==28367== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==28367==
==28367== All heap blocks were freed -- no leaks are possible
==28367==
==28367== For counts of detected and suppressed errors, rerun with: -v
==28367== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 28367 segmentation fault valgrind ./iwasm
The 32bit build is successful. However after changing cmake variable BUILD_AS_64BIT_SUPPORT
from "NO" to "YES" to enable 64bit build, the make
will fail with below message:
[ 24%] Building C object CMakeFiles/vmlib.dir/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c.o
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c:329:23: error: โget_va_listโ declared as function returning an array
static inline va_list get_va_list(uint32 *args)
^~~~~~~~~~~
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c: In function โget_va_listโ:
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c:336:8: warning: returning โ__va_list_tag *โ from a function with return type โintโ makes integer from pointer without a cast [-Wint-conversion]
return u.v;
^
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c:336:8: warning: function returns address of local variable [-Wreturn-local-addr]
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c: In function โparse_printf_argsโ:
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c:356:12: error: assignment to expression with array type
*p_va_args = u.v;
^
make[2]: *** [CMakeFiles/vmlib.dir/build.make:219: CMakeFiles/vmlib.dir/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:147: CMakeFiles/vmlib.dir/all] Error 2
make: *** [Makefile:130: all] Error 2
I am working on Ubuntu with GCC 8.3.
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Null pointer dereference in wasm_interp_call_wasm (wasm_interp.c:2158)
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 19875 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5555557810b0 --> 0x0
RCX: 0x557810ec
RDX: 0x720
RSI: 0x7fffffffce1c --> 0xffffd0f000000001
RDI: 0x5555557810b0 --> 0x0
RBP: 0x7fffffffd6d0 --> 0x7fffffffd7c0 --> 0x7fffffffd810 --> 0x7fffffffd890 --> 0x7fffffffd8c0 --> 0x7fffffffd9b0 (--> ...)
RSP: 0x7fffffffcdf0 --> 0x219000
RIP: 0x0
R8 : 0x0
R9 : 0x7fffffffd758 --> 0x55555578101c --> 0xa0004008
R10: 0x0
R11: 0x246
R12: 0x55555577f15f --> 0x417f044600d8bc85
R13: 0x5555557810bc --> 0xfffffff6
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcdf0 --> 0x219000
0008| 0x7fffffffcdf8 --> 0x555555781020 --> 0x0
0016| 0x7fffffffce00 --> 0x555555780d78 --> 0x100000000
0024| 0x7fffffffce08 --> 0x555555780fc8 --> 0x0
0032| 0x7fffffffce10 --> 0xc50000019000
0040| 0x7fffffffce18 --> 0x1007f0001
0048| 0x7fffffffce20 --> 0x7fffffffd0f0 --> 0x7fffffffd120 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce28 --> 0x8400000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000000000 in ?? ()
#0 0x0000000000000000 in ?? ()
#1 0x0000000000219000 in ?? ()
#2 0x0000555555781020 in global_heap_buf ()
#3 0x0000555555780d78 in global_heap_buf ()
#4 0x0000555555780fc8 in global_heap_buf ()
#5 0x0000c50000019000 in ?? ()
#6 0x00000001007f0001 in ?? ()
#7 0x00007fffffffd0f0 in ?? ()
#8 0x0000008400000000 in ?? ()
#9 0x00007fff0000000c in ?? ()
#10 0x0000000000000002 in ?? ()
#11 0x000000000000fd01 in ?? ()
#12 0x00007ffff7ddbead in _dl_map_segments (loader=<optimized out>, has_holes=<optimized out>, maplength=<optimized out>, nloadcmds=0x0, loadcmds=<optimized out>, type=<optimized out>, header=<optimized out>, fd=<optimized out>, l=0x5555557810b0 <global_heap_buf+8720>) at ./dl-map-segments.h:131
#13 _dl_map_object_from_fd (name=<optimized out>, origname=<optimized out>, fd=<optimized out>, fbp=<optimized out>, realname=<optimized out>, loader=<optimized out>, l_type=<optimized out>, mode=<optimized out>, stack_endp=<optimized out>, nsid=<optimized out>) at dl-load.c:1126
#14 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d78 <global_heap_buf+7896>, argc=0x0, argv=0x7fffffffd880) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#15 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780ec8 <global_heap_buf+8232>, exec_env=0x0, function=0x555555780d78 <global_heap_buf+7896>, argc=0x0, argv=0x7fffffffd880) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#16 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780ec8 <global_heap_buf+8232>, argc=0x1, argv=0x7fffffffdaa0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#17 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780ec8 <global_heap_buf+8232>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#18 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffdaa0) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#19 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda88) at ../csu/libc-start.c:310
#20 0x000055555555798a in _start ()
Valgrind
==19851== Memcheck, a memory error detector
==19851== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==19851== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==19851== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x0/PoC.wasm
==19851==
==19851== Jump to the invalid address stated on the next line
==19851== at 0x0: ???
==19851== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==19851== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==19851== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==19851== by 0x10BAD7: app_instance_main (main.c:54)
==19851== by 0x10C0EA: main (main.c:217)
==19851== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==19851==
==19851==
==19851== Process terminating with default action of signal 11 (SIGSEGV)
==19851== Bad permissions for mapped region at address 0x0
==19851== at 0x0: ???
==19851== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==19851== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==19851== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==19851== by 0x10BAD7: app_instance_main (main.c:54)
==19851== by 0x10C0EA: main (main.c:217)
==19851==
==19851== HEAP SUMMARY:
==19851== in use at exit: 0 bytes in 0 blocks
==19851== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==19851==
==19851== All heap blocks were freed -- no leaks are possible
==19851==
==19851== For counts of detected and suppressed errors, rerun with: -v
==19851== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 19851 segmentation fault valgrind ./iwasm
Hi ๐
Excellent initiative, great to see more Wasm runtimes from experienced vendors.
I was hoping to find out what your feelings/plans are around supporting WASI, Mozillaโs proposed systems interface for Wasm applications.
Thanks again for this project ๐
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Assertion failed in load_type_section (wasm_loader.c:259)
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
iwasm: XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:259: load_type_section: Assertion `result_count <= 1' failed.
[1] 2373 abort ./iwasm
I read "WASM interpreter (AOT is planned)": will it be with a JIT? For intel CPU? ARM CPU ? What kind of performances compared to native code can be expected ?
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1230)
case: WASM_OP_I64_STORE8
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 23333 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5555557810dc --> 0x0
RCX: 0x0
RDX: 0x41 ('A')
RSI: 0x7fffffffce0c --> 0xffffd0e000000001
RDI: 0x5555557810e0 --> 0x100000000
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x555555564068 (<wasm_interp_call_func_bytecode+19497>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x0
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008
R10: 0x0
R11: 0x246
R12: 0x55555577f163 --> 0xbc85e44100c14103
R13: 0x5555557810fc --> 0x7f03
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555564056 <wasm_interp_call_func_bytecode+19479>: jbe 0x5555555640e4 <wasm_interp_call_func_bytecode+19621>
0x55555556405c <wasm_interp_call_func_bytecode+19485>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x555555564061 <wasm_interp_call_func_bytecode+19490>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x555555564068 <wasm_interp_call_func_bytecode+19497>: mov rdx,QWORD PTR [rax+0x18]
0x55555556406c <wasm_interp_call_func_bytecode+19501>: mov ecx,DWORD PTR [rbp-0x6b0]
0x555555564072 <wasm_interp_call_func_bytecode+19507>: mov rax,QWORD PTR [rbp-0x4e8]
0x555555564079 <wasm_interp_call_func_bytecode+19514>: mov eax,DWORD PTR [rax+0x30]
0x55555556407c <wasm_interp_call_func_bytecode+19517>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0xc50000019000
0040| 0x7fffffffce08 --> 0x1007f3c01
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555564068 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1230
1230 DEF_OP_STORE(uint64, I64, *(uint8*)maddr = (uint8)sval);
#0 0x0000555555564068 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1230
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==23329== Memcheck, a memory error detector
==23329== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23329== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==23329== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x5555555640f9/PoC.wasm
==23329==
==23329== Invalid read of size 8
==23329== at 0x118068: wasm_interp_call_func_bytecode (wasm_interp.c:1230)
==23329== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==23329== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==23329== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==23329== by 0x10BAD7: app_instance_main (main.c:54)
==23329== by 0x10C0EA: main (main.c:217)
==23329== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==23329==
==23329==
==23329== Process terminating with default action of signal 11 (SIGSEGV)
==23329== Access not within mapped region at address 0x18
==23329== at 0x118068: wasm_interp_call_func_bytecode (wasm_interp.c:1230)
==23329== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==23329== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==23329== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==23329== by 0x10BAD7: app_instance_main (main.c:54)
==23329== by 0x10C0EA: main (main.c:217)
==23329== If you believe this happened as a result of a stack
==23329== overflow in your program's main thread (unlikely but
==23329== possible), you can try to increase the size of the
==23329== main thread stack using the --main-stacksize= flag.
==23329== The main thread stack size used in this run was 8388608.
==23329==
==23329== HEAP SUMMARY:
==23329== in use at exit: 0 bytes in 0 blocks
==23329== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==23329==
==23329== All heap blocks were freed -- no leaks are possible
==23329==
==23329== For counts of detected and suppressed errors, rerun with: -v
==23329== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 23329 segmentation fault valgrind ./iwasm
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1253)
case: WASM_OP_MEMORY_GROW
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 4666 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5555557810f0 --> 0x5555 ('UU')
RCX: 0x0
RDX: 0x200
RSI: 0x5555 ('UU')
RDI: 0x555555781008 --> 0x0
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x5555555645f7 (<wasm_interp_call_func_bytecode+20920>: mov eax,DWORD PTR [rax])
R8 : 0x0
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008
R10: 0x0
R11: 0x246
R12: 0x55555577f15e --> 0xc141034102410141
R13: 0x5555557810fc --> 0x7f03
R14: 0x0
R15: 0x0
EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5555555645e7 <wasm_interp_call_func_bytecode+20904>: mov rax,QWORD PTR [rdx+rax*1]
0x5555555645eb <wasm_interp_call_func_bytecode+20908>: jmp 0x55555555f64b <wasm_interp_call_func_bytecode+524>
0x5555555645f0 <wasm_interp_call_func_bytecode+20913>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555645f7 <wasm_interp_call_func_bytecode+20920>: mov eax,DWORD PTR [rax]
0x5555555645f9 <wasm_interp_call_func_bytecode+20922>: mov DWORD PTR [rbp-0x6ec],eax
0x5555555645ff <wasm_interp_call_func_bytecode+20928>: mov DWORD PTR [rbp-0x8b4],0x0
0x555555564609 <wasm_interp_call_func_bytecode+20938>: lea rax,[rbp-0x8b4]
0x555555564610 <wasm_interp_call_func_bytecode+20945>: mov ecx,0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0xc50000019000
0040| 0x7fffffffce08 --> 0x7f0001
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555645f7 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1253
1253 uint32 reserved, delta, prev_page_count = memory->cur_page_count;
#0 0x00005555555645f7 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1253
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==4653== Memcheck, a memory error detector
==4653== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4653== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==4653== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555564688/PoC.wasm
==4653==
==4653== Invalid read of size 4
==4653== at 0x1185F7: wasm_interp_call_func_bytecode (wasm_interp.c:1253)
==4653== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==4653== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==4653== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==4653== by 0x10BAD7: app_instance_main (main.c:54)
==4653== by 0x10C0EA: main (main.c:217)
==4653== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4653==
==4653==
==4653== Process terminating with default action of signal 11 (SIGSEGV)
==4653== Access not within mapped region at address 0x0
==4653== at 0x1185F7: wasm_interp_call_func_bytecode (wasm_interp.c:1253)
==4653== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==4653== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==4653== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==4653== by 0x10BAD7: app_instance_main (main.c:54)
==4653== by 0x10C0EA: main (main.c:217)
==4653== If you believe this happened as a result of a stack
==4653== overflow in your program's main thread (unlikely but
==4653== possible), you can try to increase the size of the
==4653== main thread stack using the --main-stacksize= flag.
==4653== The main thread stack size used in this run was 8388608.
==4653==
==4653== HEAP SUMMARY:
==4653== in use at exit: 0 bytes in 0 blocks
==4653== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==4653==
==4653== All heap blocks were freed -- no leaks are possible
==4653==
==4653== For counts of detected and suppressed errors, rerun with: -v
==4653== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 4653 segmentation fault valgrind ./iwasm
Thanks for the excellent work. I am trying to integrate WAMR into my code to read a WASM file and call fib function which isn't calling any system abi functions. However I couldn't make it work even for below simple code:
#include "wasm-export.h"
int main ()
{
wasm_module_t module;
wasm_module_inst_t inst;
wasm_function_inst_t func;
wasm_exec_env_t env;
wasm_runtime_init();
return 0;
}
The error messages are as below:
erry@tPad:~/wasm/wasm-micro-runtime/core/iwasm/products/linux/build$ gcc -m32 test.c -I /home/terry/wasm/wasm-micro-runtime/core/iwasm/runtime/include/ -lm -lpthread -lvmlib -liwasm -L /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `_vm_thread_sys_init':
bh_thread.c:(.text._vm_thread_sys_init+0x49): undefined reference to `pthread_key_create'
/usr/bin/ld: bh_thread.c:(.text._vm_thread_sys_init+0xa8): undefined reference to `pthread_key_delete'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `vm_thread_sys_destroy':
bh_thread.c:(.text.vm_thread_sys_destroy+0x35): undefined reference to `pthread_key_delete'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `vm_thread_wrapper':
bh_thread.c:(.text.vm_thread_wrapper+0x43): undefined reference to `_bh_log'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `_vm_thread_create_with_prio':
bh_thread.c:(.text._vm_thread_create_with_prio+0xc9): undefined reference to `pthread_attr_setstacksize'
/usr/bin/ld: bh_thread.c:(.text._vm_thread_create_with_prio+0x145): undefined reference to `pthread_create'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `_vm_tls_get':
bh_thread.c:(.text._vm_tls_get+0x49): undefined reference to `pthread_getspecific'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `_vm_tls_put':
bh_thread.c:(.text._vm_tls_put+0x4c): undefined reference to `pthread_setspecific'
..............................
Would you please kindly provide some examples to show how to use WAMR standalone? Thanks very much.
Questions | Answers |
---|---|
Related Binary | ./iwasm (linux build) |
Commit | commit 9a02c49 |
Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1180)
case: WASM_OP_I64_LOAD32_U
Download:
PoC.zip
Run:
./iwasm PoC.wasm
Crash
[1] 24317 segmentation fault ./iwasm
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5555557810e4 --> 0x0
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0
RSI: 0x0
RDI: 0x2
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000
RIP: 0x55555556310e (<wasm_interp_call_func_bytecode+15567>: mov rdx,QWORD PTR [rax+0x18])
R8 : 0x1
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008
R10: 0x0
R11: 0x246
R12: 0x55555577f161 --> 0xe44100c141034102
R13: 0x5555557810fc --> 0x7f03
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5555555630fc <wasm_interp_call_func_bytecode+15549>: jbe 0x55555556318a <wasm_interp_call_func_bytecode+15691>
0x555555563102 <wasm_interp_call_func_bytecode+15555>: jmp 0x555555568495 <wasm_interp_call_func_bytecode+36950>
0x555555563107 <wasm_interp_call_func_bytecode+15560>: mov rax,QWORD PTR [rbp-0x4e8]
=> 0x55555556310e <wasm_interp_call_func_bytecode+15567>: mov rdx,QWORD PTR [rax+0x18]
0x555555563112 <wasm_interp_call_func_bytecode+15571>: mov ecx,DWORD PTR [rbp-0x634]
0x555555563118 <wasm_interp_call_func_bytecode+15577>: mov rax,QWORD PTR [rbp-0x4e8]
0x55555556311f <wasm_interp_call_func_bytecode+15584>: mov eax,DWORD PTR [rax+0x30]
0x555555563122 <wasm_interp_call_func_bytecode+15587>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0
0032| 0x7fffffffce00 --> 0xc50000019000
0040| 0x7fffffffce08 --> 0x1007f3501
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556310e in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1180
1180 DEF_OP_LOAD(PUSH_I64((uint64)(*(uint32*)maddr)));
#0 0x000055555556310e in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1180
#1 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7 0x000055555555798a in _start ()
Valgrind
==24315== Memcheck, a memory error detector
==24315== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==24315== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==24315== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556319f/PoC.wasm
==24315==
==24315== Invalid read of size 8
==24315== at 0x11710E: wasm_interp_call_func_bytecode (wasm_interp.c:1180)
==24315== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==24315== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==24315== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==24315== by 0x10BAD7: app_instance_main (main.c:54)
==24315== by 0x10C0EA: main (main.c:217)
==24315== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==24315==
==24315==
==24315== Process terminating with default action of signal 11 (SIGSEGV)
==24315== Access not within mapped region at address 0x18
==24315== at 0x11710E: wasm_interp_call_func_bytecode (wasm_interp.c:1180)
==24315== by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==24315== by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==24315== by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==24315== by 0x10BAD7: app_instance_main (main.c:54)
==24315== by 0x10C0EA: main (main.c:217)
==24315== If you believe this happened as a result of a stack
==24315== overflow in your program's main thread (unlikely but
==24315== possible), you can try to increase the size of the
==24315== main thread stack using the --main-stacksize= flag.
==24315== The main thread stack size used in this run was 8388608.
==24315==
==24315== HEAP SUMMARY:
==24315== in use at exit: 0 bytes in 0 blocks
==24315== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==24315==
==24315== All heap blocks were freed -- no leaks are possible
==24315==
==24315== For counts of detected and suppressed errors, rerun with: -v
==24315== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 24315 segmentation fault valgrind ./iwasm
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.