bytecodealliance / wasm-micro-runtime Goto Github PK

WebAssembly Micro Runtime (WAMR)

License: Apache License 2.0

Shell 1.51% C 82.57% CMake 1.95% C++ 6.19% Makefile 0.38% Assembly 0.48% Dockerfile 0.14% Python 4.92% HTML 0.06% CSS 0.02% JavaScript 0.03% TypeScript 1.24% WebAssembly 0.02% Batchfile 0.04% Go 0.43% Rust 0.01%

wasm runtime interpreter aot embedded iot webassembly jit assembly-script sgx

wasm-micro-runtime's Introduction

WebAssembly Micro Runtime

A Bytecode Alliance project

Guide Website Chat

WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime with small footprint, high performance and highly configurable features for applications cross from embedded, IoT, edge to Trusted Execution Environment (TEE), smart contract, cloud native and so on. It includes a few parts as below:

VMcore: A set of runtime libraries for loading and running Wasm modules. It supports several execution modes including interpreter, Ahead-of-Time compilation(AoT) and Just-in-Time compilation (JIT). The WAMR supports two JIT tiers - Fast JIT, LLVM JIT, and dynamic tier-up from Fast JIT to LLVM JIT.
iwasm: The executable binary built with WAMR VMcore supports WASI and command line interface.
wamrc: The AOT compiler to compile Wasm file into AOT file
Useful components and tools for building real solutions with WAMR vmcore:
- App-framework: A framework for supporting APIs for the Wasm applications
- App-manager: a framework for dynamical loading the Wasm module remotely
- WAMR-IDE: An experimental VSCode extension for developping WebAssembly applications with C/C++

Key features

Full compliant to the W3C Wasm MVP
Small runtime binary size (~85K for interpreter and ~50K for AOT) and low memory usage
Near to native speed by AOT and JIT
Self-implemented AOT module loader to enable AOT working on Linux, Windows, MacOS, Android, SGX and MCU systems
Choices of Wasm application libc support: the built-in libc subset for the embedded environment or WASI for the standard libc
The simple C APIs to embed WAMR into host environment, see how to integrate WAMR and the API list
The mechanism to export native APIs to Wasm applications, see how to register native APIs
Multiple modules as dependencies, ref to document and sample
Multi-thread, pthread APIs and thread management, ref to document and sample
wasi-threads, ref to document and sample
Linux SGX (Intel Software Guard Extension) support, ref to document
Source debugging support, ref to document
XIP (Execution In Place) support, ref to document
Berkeley/Posix Socket support, ref to document and sample
Multi-tier JIT and Running mode control
Language bindings: Go, Python, Rust

Wasm post-MVP features

wasm-c-api, ref to document and sample
128-bit SIMD, ref to samples/workload
Reference Types, ref to document and sample
Bulk memory operations, Shared memory, Memory64
Tail-call, Garbage Collection, Exception Handling

Supported architectures and platforms

The WAMR VMcore supports the following architectures:

X86-64, X86-32
ARM, THUMB (ARMV7 Cortex-M7 and Cortex-A15 are tested)
AArch64 (Cortex-A57 and Cortex-A53 are tested)
RISCV64, RISCV32 (RISC-V LP64 and RISC-V LP64D are tested)
XTENSA, MIPS, ARC

The following platforms are supported, click each link below for how to build iwasm on that platform. Refer to WAMR porting guide for how to port WAMR to a new platform.

Getting started

Performance and memory

Blog: The WAMR memory model
Blog: Understand WAMR heaps and stacks
Blog: Introduction to WAMR running modes
Memory usage tuning: the memory model and how to tune the memory usage
Memory usage profiling: how to profile the memory usage
Performance tuning: how to tune the performance
Benchmarks: checkout these links for how to run the benchmarks: PolyBench, CoreMark, Sightglass, JetStream2
Performance and footprint data: the performance and footprint data

Project Technical Steering Committee

The WAMR PTSC Charter governs the operations of the project TSC. The current TSC members:

dongsheng28849455 - Dongsheng Yan, [email protected]
loganek - Marcin Kolny, [email protected]
lum1n0us - Liang He， [email protected]
no1wudi Qi Huang, [email protected]
qinxk-inter - Xiaokang Qin， [email protected]
ttrenner - Trenner, Thomas， [email protected]
wei-tang - Wei Tang， [email protected]
wenyongh - Wenyong Huang， [email protected]
woodsmc - Woods, Chris， [email protected]
xujuntwt95329 - Jun Xu， [email protected]
xwang98 - Xin Wang， [email protected] (chair)
yamt - Takashi Yamamoto, [email protected]

License

WAMR uses the same license as LLVM: the Apache 2.0 license with the LLVM exception. See the LICENSE file for details. This license allows you to freely use, modify, distribute and sell your own products based on WAMR. Any contributions you make will be under the same license.

More resources

wasm-micro-runtime's People

Contributors

Stargazers

Watchers

Forkers

litian-int wenyongh aaltonenzhang lbmeng 2015xli jlb6740 saiuz vdt kwccoin kustomzone hakilebara millsky manis404 ds604 longjohncoder hhy5277 0xflotus whitemike889 jithinraj linecode gavinljj offercomes abrown vehar damons wentongwu zhujinzhou 01alchemist martin-juhlin yiting16 hoangpq doublequick xjump zhanzr freemanzyq cbhust blockspacer yyerdao wind-river supowangfork backwardn luhanzhl beriberikix cmickeyb machinelinux-root jpryne amalabey jondong stone-wind xujun2019 skyschulz freevanx oubotong wyr8633 dio intelzhangw2 tschneidereit xrmx topecongiro forkkit bran-the-humble svsintel developerfred slurdge appfws stephanosio lishoulong arvinsfj wasm-micro-runtime hugo-dc nickzoic sahwar xujuntwt95329 jxiao1 moneytech rasata nesl qdaoming iplaycloud daizoom mdamgaard-biolib jetbl kfessel ranesaloni weining2019 alexene yzha107 lucshi misswhite jyao1 junrui-l decentriq lei-april xmlgrg hotg-ai ngwese poemm fx-js ewasm-benchmarking hu6360567

wasm-micro-runtime's Issues

No Windows support?

There's only Zephyr and Linux support. Someone else already asked about macOS, so here's a Windows one.

So yeah, are there any plans for supporting Windows? And how much of the C++ standard library, if any at all, does this already support?

WASI is still a work in progress and it doesn't support C++ yet, but hopefully both projects will do so at some point and work together if possible.

irreducible CFG, microwasm

WASM does not support irreducible CFG, which may be produced in the basic block representation for some languages/compilers. AFAIK, irreducible CFG must be removed using the relooper algorithm (or similar) before WASM is generated. According to some sources [1] it seems that this was a design decision motivated by JS JIT engines (V8, etc.). WASM is a cool idea but it looks like a refurbished syntactic variant ASM-JS rather than the promised universal binary format. I wonder if there is any hope that projects like yours can push WASM design further or support alternative proposals like Microwasm [1] (which IMHO looks better from a compiler designer perspective).

[1] http://troubles.md/posts/microwasm/

Heap out of bounds read in wasm_loader_find_block_addr (wasm_loader.c:1561)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_loader_find_block_addr (wasm_loader.c:1561)

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode 18.
[DD582740]: WASM loader find block addr failed: invalid opcode f8.
[DD582740]: WASM loader find block addr failed: invalid opcode fd.
[DD582740]: WASM loader find block addr failed: invalid opcode 18.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode ff.
[DD582740]: WASM loader find block addr failed: invalid opcode ff.
[DD582740]: WASM loader find block addr failed: invalid opcode ff.
[DD582740]: WASM loader find block addr failed: invalid opcode ff.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode d1.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode d7.
[DD582740]: WASM loader find block addr failed: invalid opcode cd.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode fd.
[DD582740]: WASM loader find block addr failed: invalid opcode fb.
[DD582740]: WASM loader find block addr failed: invalid opcode fd.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode d0.
[DD582740]: WASM loader find block addr failed: invalid opcode fd.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode 0a.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode 08.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode 08.
[DD582740]: WASM loader find block addr failed: invalid opcode fe.
[DD582740]: WASM loader find block addr failed: invalid opcode f3.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode e1.
[DD582740]: WASM loader find block addr failed: invalid opcode de.
[DD582740]: WASM loader find block addr failed: invalid opcode 07.
[DD582740]: WASM loader find block addr failed: invalid opcode de.
[DD582740]: WASM loader find block addr failed: invalid opcode 07.
[DD582740]: WASM loader find block addr failed: invalid opcode e0.
[DD582740]: WASM loader find block addr failed: invalid opcode e0.
[DD582740]: WASM loader find block addr failed: invalid opcode de.
[DD582740]: WASM loader find block addr failed: invalid opcode 07.
[DD582740]: WASM loader find block addr failed: invalid opcode de.
[DD582740]: WASM loader find block addr failed: invalid opcode 08.
[DD582740]: WASM loader find block addr failed: invalid opcode 1e.
[1]    17578 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[F7FCC740]: WASM loader find block addr failed: invalid opcode fe.
[F7FCC740]: WASM loader find block addr failed: invalid opcode fe.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 18.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f8.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 18.
[F7FCC740]: WASM loader find block addr failed: invalid opcode d1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode d7.
[F7FCC740]: WASM loader find block addr failed: invalid opcode dd.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode d0.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 0a.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 08.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f1.
[F7FCC740]: WASM loader find block addr failed: invalid opcode de.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 07.
[F7FCC740]: WASM loader find block addr failed: invalid opcode de.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 07.
[F7FCC740]: WASM loader find block addr failed: invalid opcode e0.
[F7FCC740]: WASM loader find block addr failed: invalid opcode f0.
[F7FCC740]: WASM loader find block addr failed: invalid opcode de.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 07.
[F7FCC740]: WASM loader find block addr failed: invalid opcode ee.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 08.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 1e.
[F7FCC740]: WASM loader find block addr failed: invalid opcode 09.

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x555555820000 
RBX: 0x0 
RCX: 0x26 ('&')
RDX: 0x555555820001 
RSI: 0x55555588714a 
RDI: 0x5555557ff66b --> 0x0 
RBP: 0x7fffffffd630 --> 0x7fffffffd770 --> 0x7fffffffd7e0 --> 0x7fffffffd840 --> 0x7fffffffd880 --> 0x7fffffffd8b0 (--> ...)
RSP: 0x7fffffffd410 --> 0x555555557960 (<_start>:	xor    ebp,ebp)
RIP: 0x55555556d5f1 (<wasm_loader_find_block_addr+448>:	movzx  eax,BYTE PTR [rax])
R8 : 0x0 
R9 : 0x7fffffffd478 --> 0x0 
R10: 0x2 
R11: 0x246 
R12: 0x555555557960 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffda80 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555556d5df <wasm_loader_find_block_addr+430>:	mov    rax,QWORD PTR [rbp-0x1b0]
   0x55555556d5e6 <wasm_loader_find_block_addr+437>:	lea    rdx,[rax+0x1]
   0x55555556d5ea <wasm_loader_find_block_addr+441>:	mov    QWORD PTR [rbp-0x1b0],rdx
=> 0x55555556d5f1 <wasm_loader_find_block_addr+448>:	movzx  eax,BYTE PTR [rax]
   0x55555556d5f4 <wasm_loader_find_block_addr+451>:	mov    BYTE PTR [rbp-0x1da],al
   0x55555556d5fa <wasm_loader_find_block_addr+457>:	movzx  eax,BYTE PTR [rbp-0x1da]
   0x55555556d601 <wasm_loader_find_block_addr+464>:	cmp    eax,0xc3
   0x55555556d606 <wasm_loader_find_block_addr+469>:	ja     0x55555556dfed <wasm_loader_find_block_addr+3004>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd410 --> 0x555555557960 (<_start>:	xor    ebp,ebp)
0008| 0x7fffffffd418 --> 0x7fffffffd910 --> 0x7ffff7ffa268 (add    BYTE PTR ss:[rax],al)
0016| 0x7fffffffd420 --> 0x555555780eb0 --> 0x0 
0024| 0x7fffffffd428 --> 0x555555780ea8 --> 0x0 
0032| 0x7fffffffd430 --> 0x7f03ffffd540 
0040| 0x7fffffffd438 --> 0x55555588714a 
0048| 0x7fffffffd440 --> 0x55555577f157 --> 0xbed6dc022afe0041 
0056| 0x7fffffffd448 --> 0x55555577f168 --> 0x1 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556d5f1 in wasm_loader_find_block_addr (module=0x55555577f168 <global_heap_buf+712>, start_addr=0x55555577f157 <global_heap_buf+695> "A", code_end_addr=0x55555588714a <error: Cannot access memory at address 0x55555588714a>, block_type=0x3, p_else_addr=0x555555780ea8 <global_heap_buf+8200>, p_end_addr=0x555555780eb0 <global_heap_buf+8208>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1561
1561	        opcode = *p++;
#0  0x000055555556d5f1 in wasm_loader_find_block_addr (module=0x55555577f168 <global_heap_buf+712>, start_addr=0x55555577f157 <global_heap_buf+695> "A", code_end_addr=0x55555588714a <error: Cannot access memory at address 0x55555588714a>, block_type=0x3, p_else_addr=0x555555780ea8 <global_heap_buf+8200>, p_end_addr=0x555555780eb0 <global_heap_buf+8208>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1561
#1  0x000055555556f485 in wasm_loader_prepare_bytecode (module=0x55555577f168 <global_heap_buf+712>, func=0x555555780e28 <global_heap_buf+8072>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:2374
#2  0x000055555556cba6 in load_from_sections (module=0x55555577f168 <global_heap_buf+712>, sections=0x555555780d58 <global_heap_buf+7864>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1189
#3  0x000055555556d00a in load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x27, module=0x55555577f168 <global_heap_buf+712>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1388
#4  0x000055555556d124 in wasm_loader_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x27, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1429
#5  0x00005555555594f5 in wasm_runtime_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x27, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:137
#6  0x000055555555802d in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:196
#7  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#8  0x000055555555798a in _start ()

Valgrind

==17576== Memcheck, a memory error detector
==17576== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==17576== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==17576== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556d68e/PoC.wasm
==17576== 
[404FB80]: WASM loader find block addr failed: invalid opcode fe.
[404FB80]: WASM loader find block addr failed: invalid opcode fe.
[404FB80]: WASM loader find block addr failed: invalid opcode 18.
[404FB80]: WASM loader find block addr failed: invalid opcode f8.
[404FB80]: WASM loader find block addr failed: invalid opcode 18.
[404FB80]: WASM loader find block addr failed: invalid opcode ff.
[404FB80]: WASM loader find block addr failed: invalid opcode ff.
[404FB80]: WASM loader find block addr failed: invalid opcode ff.
[404FB80]: WASM loader find block addr failed: invalid opcode ff.
[404FB80]: WASM loader find block addr failed: invalid opcode d1.
[404FB80]: WASM loader find block addr failed: invalid opcode c7.
[404FB80]: WASM loader find block addr failed: invalid opcode d7.
[404FB80]: WASM loader find block addr failed: invalid opcode 1d.
[404FB80]: WASM loader find block addr failed: invalid opcode d0.
[404FB80]: WASM loader find block addr failed: invalid opcode 0a.
[404FB80]: WASM loader find block addr failed: invalid opcode 08.
[404FB80]: WASM loader find block addr failed: invalid opcode 08.
[404FB80]: WASM loader find block addr failed: invalid opcode f3.
[404FB80]: WASM loader find block addr failed: invalid opcode de.
[404FB80]: WASM loader find block addr failed: invalid opcode 07.
[404FB80]: WASM loader find block addr failed: invalid opcode de.
[404FB80]: WASM loader find block addr failed: invalid opcode 07.
[404FB80]: WASM loader find block addr failed: invalid opcode e0.
[404FB80]: WASM loader find block addr failed: invalid opcode de.
[404FB80]: WASM loader find block addr failed: invalid opcode 07.
[404FB80]: WASM loader find block addr failed: invalid opcode 08.
[404FB80]: WASM loader find block addr failed: invalid opcode 1e.
==17576== Invalid read of size 1
==17576==    at 0x1215F1: wasm_loader_find_block_addr (wasm_loader.c:1561)
==17576==    by 0x123484: wasm_loader_prepare_bytecode (wasm_loader.c:2374)
==17576==    by 0x120BA5: load_from_sections (wasm_loader.c:1189)
==17576==    by 0x121009: load (wasm_loader.c:1388)
==17576==    by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==17576==    by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==17576==    by 0x10C02C: main (main.c:196)
==17576==  Address 0x3b3000 is not stack'd, malloc'd or (recently) free'd
==17576== 
==17576== 
==17576== Process terminating with default action of signal 11 (SIGSEGV)
==17576==  Access not within mapped region at address 0x3B3000
==17576==    at 0x1215F1: wasm_loader_find_block_addr (wasm_loader.c:1561)
==17576==    by 0x123484: wasm_loader_prepare_bytecode (wasm_loader.c:2374)
==17576==    by 0x120BA5: load_from_sections (wasm_loader.c:1189)
==17576==    by 0x121009: load (wasm_loader.c:1388)
==17576==    by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==17576==    by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==17576==    by 0x10C02C: main (main.c:196)
==17576==  If you believe this happened as a result of a stack
==17576==  overflow in your program's main thread (unlikely but
==17576==  possible), you can try to increase the size of the
==17576==  main thread stack using the --main-stacksize= flag.
==17576==  The main thread stack size used in this run was 8388608.
==17576== 
==17576== HEAP SUMMARY:
==17576==     in use at exit: 0 bytes in 0 blocks
==17576==   total heap usage: 1 allocs, 1 frees, 1,024 bytes allocated
==17576== 
==17576== All heap blocks were freed -- no leaks are possible
==17576== 
==17576== For counts of detected and suppressed errors, rerun with: -v
==17576== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    17576 segmentation fault  valgrind ./iwasm

Null pointer dereference - WASM_OP_BR: wasm_interp_call_func_bytecode (wasm_interp.c:843)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Null pointer dereference in wasm_interp_call_func_bytecode (wasm_interp.c:843)
case: WASM_OP_BR

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    3230 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x0 
RDX: 0x48 ('H')
RSI: 0x7fffffffce0c --> 0x400000001 
RDI: 0x55555577f179 ("Hello World")
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x55555555fdc4 (<wasm_interp_call_func_bytecode+2437>:	movzx  eax,BYTE PTR [rax])
R8 : 0x0 
R9 : 0x7fffffffd910 --> 0x7ffff7ffa268 (add    BYTE PTR ss:[rax],al)
R10: 0x0 
R11: 0x246 
R12: 0x1 
R13: 0x55555579320c --> 0x7f03120af410 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555555fdbc <wasm_interp_call_func_bytecode+2429>:	nop
   0x55555555fdbd <wasm_interp_call_func_bytecode+2430>:	mov    rax,r12
   0x55555555fdc0 <wasm_interp_call_func_bytecode+2433>:	lea    r12,[rax+0x1]
=> 0x55555555fdc4 <wasm_interp_call_func_bytecode+2437>:	movzx  eax,BYTE PTR [rax]
   0x55555555fdc7 <wasm_interp_call_func_bytecode+2440>:	movzx  eax,al
   0x55555555fdca <wasm_interp_call_func_bytecode+2443>:	cdqe   
   0x55555555fdcc <wasm_interp_call_func_bytecode+2445>:	lea    rdx,[rax*8+0x0]
   0x55555555fdd4 <wasm_interp_call_func_bytecode+2453>:	lea    rax,[rip+0x21e885]        # 0x55555577e660 <handle_table.5444>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555793170 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780db0 --> 0x100000000 
0024| 0x7fffffffcdf8 --> 0x5555557810b0 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x1007f0001 
0048| 0x7fffffffce10 --> 0x4800000004 
0056| 0x7fffffffce18 --> 0x8c40000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555555fdc4 in wasm_interp_call_func_bytecode (self=0x5555557810b0 <global_heap_buf+8720>, cur_func=0x555555780db0 <global_heap_buf+7952>, prev_frame=0x555555793170 <global_heap_buf+82640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:843
843	        HANDLE_OP_END ();
#0  0x000055555555fdc4 in wasm_interp_call_func_bytecode (self=0x5555557810b0 <global_heap_buf+8720>, cur_func=0x555555780db0 <global_heap_buf+7952>, prev_frame=0x555555793170 <global_heap_buf+82640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:843
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780db0 <global_heap_buf+7952>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780fb0 <global_heap_buf+8464>, exec_env=0x0, function=0x555555780db0 <global_heap_buf+7952>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780fb0 <global_heap_buf+8464>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780fb0 <global_heap_buf+8464>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Null pointer dereference - wasm_loader_prepare_bytecode (wasm_loader.c:2258)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Null pointer dereference in wasm_loader_prepare_bytecode (wasm_loader.c:2258)

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    31363 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x0 
RDX: 0x1 
RSI: 0x7fffffffd6d8 --> 0x555555780e38 --> 0x7f 
RDI: 0x0 
RBP: 0x7fffffffd770 --> 0x7fffffffd7e0 --> 0x7fffffffd840 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffd650 --> 0x8000000000 
RIP: 0x55555556e953 (<wasm_loader_prepare_bytecode+917>:	movzx  eax,BYTE PTR [rax])
R8 : 0x7fffffffd688 --> 0x100000020 
R9 : 0x7fffffffd684 --> 0x2000000000 ('')
R10: 0x0 
R11: 0x246 
R12: 0x555555557960 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffda80 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555556e947 <wasm_loader_prepare_bytecode+905>:	mov    rax,QWORD PTR [rbp-0x78]
   0x55555556e94b <wasm_loader_prepare_bytecode+909>:	lea    rdx,[rax+0x1]
   0x55555556e94f <wasm_loader_prepare_bytecode+913>:	mov    QWORD PTR [rbp-0x78],rdx
=> 0x55555556e953 <wasm_loader_prepare_bytecode+917>:	movzx  eax,BYTE PTR [rax]
   0x55555556e956 <wasm_loader_prepare_bytecode+920>:	mov    BYTE PTR [rbp-0xf8],al
   0x55555556e95c <wasm_loader_prepare_bytecode+926>:	movzx  eax,BYTE PTR [rbp-0xf8]
   0x55555556e963 <wasm_loader_prepare_bytecode+933>:	cmp    eax,0xbf
   0x55555556e968 <wasm_loader_prepare_bytecode+938>:	ja     0x55555557440f <wasm_loader_prepare_bytecode+24145>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd650 --> 0x8000000000 
0008| 0x7fffffffd658 --> 0x7fffffffd910 --> 0x7ffff7ffa268 (add    BYTE PTR ss:[rax],al)
0016| 0x7fffffffd660 --> 0x555555780e00 --> 0x555555780de0 --> 0x0 
0024| 0x7fffffffd668 --> 0x55555577f168 --> 0x1 
0032| 0x7fffffffd670 --> 0xffffffd690 
0040| 0x7fffffffd678 --> 0x40f2fe7db7a3fa00 
0048| 0x7fffffffd680 --> 0x1 
0056| 0x7fffffffd688 --> 0x100000020 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556e953 in wasm_loader_prepare_bytecode (module=0x55555577f168 <global_heap_buf+712>, func=0x555555780e00 <global_heap_buf+8032>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:2258
2258	        opcode = *p++;
#0  0x000055555556e953 in wasm_loader_prepare_bytecode (module=0x55555577f168 <global_heap_buf+712>, func=0x555555780e00 <global_heap_buf+8032>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:2258
#1  0x000055555556cba6 in load_from_sections (module=0x55555577f168 <global_heap_buf+712>, sections=0x555555780d58 <global_heap_buf+7864>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1189
#2  0x000055555556d00a in load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x25, module=0x55555577f168 <global_heap_buf+712>, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1388
#3  0x000055555556d124 in wasm_loader_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x25, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1429
#4  0x00005555555594f5 in wasm_runtime_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x25, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:137
#5  0x000055555555802d in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:196
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==31313== Memcheck, a memory error detector
==31313== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==31313== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==31313== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556e9f0/PoC.wasm
==31313== 
==31313== Invalid read of size 1
==31313==    at 0x122953: wasm_loader_prepare_bytecode (wasm_loader.c:2258)
==31313==    by 0x120BA5: load_from_sections (wasm_loader.c:1189)
==31313==    by 0x121009: load (wasm_loader.c:1388)
==31313==    by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==31313==    by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==31313==    by 0x10C02C: main (main.c:196)
==31313==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==31313== 
==31313== 
==31313== Process terminating with default action of signal 11 (SIGSEGV)
==31313==  Access not within mapped region at address 0x0
==31313==    at 0x122953: wasm_loader_prepare_bytecode (wasm_loader.c:2258)
==31313==    by 0x120BA5: load_from_sections (wasm_loader.c:1189)
==31313==    by 0x121009: load (wasm_loader.c:1388)
==31313==    by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==31313==    by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==31313==    by 0x10C02C: main (main.c:196)
==31313==  If you believe this happened as a result of a stack
==31313==  overflow in your program's main thread (unlikely but
==31313==  possible), you can try to increase the size of the
==31313==  main thread stack using the --main-stacksize= flag.
==31313==  The main thread stack size used in this run was 8388608.
==31313== 
==31313== HEAP SUMMARY:
==31313==     in use at exit: 0 bytes in 0 blocks
==31313==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==31313== 
==31313== All heap blocks were freed -- no leaks are possible
==31313== 
==31313== For counts of detected and suppressed errors, rerun with: -v
==31313== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    31313 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_MEMORY_SIZE: wasm_interp_call_func_bytecode (wasm_interp.c:1246)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1246)
case: WASM_OP_MEMORY_SIZE

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    18462 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810e4 --> 0x5555557810fc --> 0x7f03 
RCX: 0x0 
RDX: 0x1 
RSI: 0x7fffffffce0c --> 0xffffd0e000000001 
RDI: 0x55555577f15f --> 0xc1410341024101 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x5555555645be (<wasm_interp_call_func_bytecode+20863>:	mov    edx,DWORD PTR [rax])
R8 : 0x0 
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f160 --> 0x4100c14103410241 
R13: 0x5555557810fc --> 0x7f03 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555645b2 <wasm_interp_call_func_bytecode+20851>:	mov    eax,eax
   0x5555555645b4 <wasm_interp_call_func_bytecode+20853>:	add    r12,rax
   0x5555555645b7 <wasm_interp_call_func_bytecode+20856>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555645be <wasm_interp_call_func_bytecode+20863>:	mov    edx,DWORD PTR [rax]
   0x5555555645c0 <wasm_interp_call_func_bytecode+20865>:	mov    rax,rbx
   0x5555555645c3 <wasm_interp_call_func_bytecode+20868>:	lea    rbx,[rax+0x4]
   0x5555555645c7 <wasm_interp_call_func_bytecode+20872>:	mov    DWORD PTR [rax],edx
   0x5555555645c9 <wasm_interp_call_func_bytecode+20874>:	mov    rax,r12
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x1007f0001 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555645be in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1246
1246	        PUSH_I32(memory->cur_page_count);
#0  0x00005555555645be in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1246
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==18459== Memcheck, a memory error detector
==18459== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==18459== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==18459== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556464f/PoC.wasm
==18459== 
==18459== Invalid read of size 4
==18459==    at 0x1185BE: wasm_interp_call_func_bytecode (wasm_interp.c:1246)
==18459==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==18459==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==18459==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==18459==    by 0x10BAD7: app_instance_main (main.c:54)
==18459==    by 0x10C0EA: main (main.c:217)
==18459==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==18459== 
==18459== 
==18459== Process terminating with default action of signal 11 (SIGSEGV)
==18459==  Access not within mapped region at address 0x0
==18459==    at 0x1185BE: wasm_interp_call_func_bytecode (wasm_interp.c:1246)
==18459==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==18459==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==18459==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==18459==    by 0x10BAD7: app_instance_main (main.c:54)
==18459==    by 0x10C0EA: main (main.c:217)
==18459==  If you believe this happened as a result of a stack
==18459==  overflow in your program's main thread (unlikely but
==18459==  possible), you can try to increase the size of the
==18459==  main thread stack using the --main-stacksize= flag.
==18459==  The main thread stack size used in this run was 8388608.
==18459== 
==18459== HEAP SUMMARY:
==18459==     in use at exit: 0 bytes in 0 blocks
==18459==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==18459== 
==18459== All heap blocks were freed -- no leaks are possible
==18459== 
==18459== For counts of detected and suppressed errors, rerun with: -v
==18459== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    18459 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_I64_LOAD16_U: wasm_interp_call_func_bytecode (wasm_interp.c:1172)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1172)
case: WASM_OP_I64_LOAD16_U

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    20965 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810f0 --> 0x0 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x555555562c9b (<wasm_interp_call_func_bytecode+14428>:  mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x32 ('2')
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f15f --> 0xc1410341026f6c 
R13: 0x5555557810fc --> 0x7f03 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555562c89 <wasm_interp_call_func_bytecode+14410>: jbe    0x555555562d17 <wasm_interp_call_func_bytecode+14552>
   0x555555562c8f <wasm_interp_call_func_bytecode+14416>: jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555562c94 <wasm_interp_call_func_bytecode+14421>: mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x555555562c9b <wasm_interp_call_func_bytecode+14428>: mov    rdx,QWORD PTR [rax+0x18]
   0x555555562c9f <wasm_interp_call_func_bytecode+14432>: mov    ecx,DWORD PTR [rbp-0x614]
   0x555555562ca5 <wasm_interp_call_func_bytecode+14438>: mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555562cac <wasm_interp_call_func_bytecode+14445>: mov    eax,DWORD PTR [rax+0x30]
   0x555555562caf <wasm_interp_call_func_bytecode+14448>: cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x1007f3301 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555562c9b in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1172
1172          DEF_OP_LOAD(PUSH_I64((uint64)(*(uint16*)maddr)));
#0  0x0000555555562c9b in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1172
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==20348== Memcheck, a memory error detector
==20348== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==20348== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==20348== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555562d2c/PoC.wasm
==20348== 
==20348== Invalid read of size 8
==20348==    at 0x116C9B: wasm_interp_call_func_bytecode (wasm_interp.c:1172)
==20348==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==20348==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==20348==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==20348==    by 0x10BAD7: app_instance_main (main.c:54)
==20348==    by 0x10C0EA: main (main.c:217)
==20348==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==20348== 
==20348== 
==20348== Process terminating with default action of signal 11 (SIGSEGV)
==20348==  Access not within mapped region at address 0x18
==20348==    at 0x116C9B: wasm_interp_call_func_bytecode (wasm_interp.c:1172)
==20348==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==20348==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==20348==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==20348==    by 0x10BAD7: app_instance_main (main.c:54)
==20348==    by 0x10C0EA: main (main.c:217)
==20348==  If you believe this happened as a result of a stack
==20348==  overflow in your program's main thread (unlikely but
==20348==  possible), you can try to increase the size of the
==20348==  main thread stack using the --main-stacksize= flag.
==20348==  The main thread stack size used in this run was 8388608.
==20348== 
==20348== HEAP SUMMARY:
==20348==     in use at exit: 0 bytes in 0 blocks
==20348==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==20348== 
==20348== All heap blocks were freed -- no leaks are possible
==20348== 
==20348== For counts of detected and suppressed errors, rerun with: -v
==20348== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    20348 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_I64_LOAD32_S: wasm_interp_call_func_bytecode (wasm_interp.c:1176)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1176)
case: WASM_OP_I64_LOAD32_S

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Need an example to show how to use WAMR standalone

Thanks for the excellent work. I am trying to integrate WAMR into my code to read a WASM file and call fib function which isn't calling any system abi functions. However I couldn't make it work even for below simple code:

#include "wasm-export.h"

int main ()
{
	wasm_module_t module;
  	wasm_module_inst_t inst;
  	wasm_function_inst_t func;
  	wasm_exec_env_t env;
  	wasm_runtime_init();
	return 0;
}

The error messages are as below:

erry@tPad:~/wasm/wasm-micro-runtime/core/iwasm/products/linux/build$ gcc -m32 test.c -I /home/terry/wasm/wasm-micro-runtime/core/iwasm/runtime/include/ -lm -lpthread -lvmlib -liwasm -L /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `_vm_thread_sys_init':
bh_thread.c:(.text._vm_thread_sys_init+0x49): undefined reference to `pthread_key_create'
/usr/bin/ld: bh_thread.c:(.text._vm_thread_sys_init+0xa8): undefined reference to `pthread_key_delete'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `vm_thread_sys_destroy':
bh_thread.c:(.text.vm_thread_sys_destroy+0x35): undefined reference to `pthread_key_delete'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `vm_thread_wrapper':
bh_thread.c:(.text.vm_thread_wrapper+0x43): undefined reference to `_bh_log'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `_vm_thread_create_with_prio':
bh_thread.c:(.text._vm_thread_create_with_prio+0xc9): undefined reference to `pthread_attr_setstacksize'
/usr/bin/ld: bh_thread.c:(.text._vm_thread_create_with_prio+0x145): undefined reference to `pthread_create'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `_vm_tls_get':
bh_thread.c:(.text._vm_tls_get+0x49): undefined reference to `pthread_getspecific'
/usr/bin/ld: /home/terry/wasm/wasm-micro-runtime/core/iwasm/products/linux/build/libvmlib.a(bh_thread.c.o): in function `_vm_tls_put':
bh_thread.c:(.text._vm_tls_put+0x4c): undefined reference to `pthread_setspecific'
..............................

Would you please kindly provide some examples to show how to use WAMR standalone? Thanks very much.

Heap out of bounds read - WASM_OP_MEMORY_GROW: wasm_interp_call_func_bytecode (wasm_interp.c:1253)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1253)
case: WASM_OP_MEMORY_GROW

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    4666 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810f0 --> 0x5555 ('UU')
RCX: 0x0 
RDX: 0x200 
RSI: 0x5555 ('UU')
RDI: 0x555555781008 --> 0x0 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x5555555645f7 (<wasm_interp_call_func_bytecode+20920>:	mov    eax,DWORD PTR [rax])
R8 : 0x0 
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f15e --> 0xc141034102410141 
R13: 0x5555557810fc --> 0x7f03 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555645e7 <wasm_interp_call_func_bytecode+20904>:	mov    rax,QWORD PTR [rdx+rax*1]
   0x5555555645eb <wasm_interp_call_func_bytecode+20908>:	jmp    0x55555555f64b <wasm_interp_call_func_bytecode+524>
   0x5555555645f0 <wasm_interp_call_func_bytecode+20913>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555645f7 <wasm_interp_call_func_bytecode+20920>:	mov    eax,DWORD PTR [rax]
   0x5555555645f9 <wasm_interp_call_func_bytecode+20922>:	mov    DWORD PTR [rbp-0x6ec],eax
   0x5555555645ff <wasm_interp_call_func_bytecode+20928>:	mov    DWORD PTR [rbp-0x8b4],0x0
   0x555555564609 <wasm_interp_call_func_bytecode+20938>:	lea    rax,[rbp-0x8b4]
   0x555555564610 <wasm_interp_call_func_bytecode+20945>:	mov    ecx,0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x7f0001 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555645f7 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1253
1253	        uint32 reserved, delta, prev_page_count = memory->cur_page_count;
#0  0x00005555555645f7 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1253
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==4653== Memcheck, a memory error detector
==4653== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4653== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==4653== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555564688/PoC.wasm
==4653== 
==4653== Invalid read of size 4
==4653==    at 0x1185F7: wasm_interp_call_func_bytecode (wasm_interp.c:1253)
==4653==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==4653==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==4653==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==4653==    by 0x10BAD7: app_instance_main (main.c:54)
==4653==    by 0x10C0EA: main (main.c:217)
==4653==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4653== 
==4653== 
==4653== Process terminating with default action of signal 11 (SIGSEGV)
==4653==  Access not within mapped region at address 0x0
==4653==    at 0x1185F7: wasm_interp_call_func_bytecode (wasm_interp.c:1253)
==4653==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==4653==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==4653==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==4653==    by 0x10BAD7: app_instance_main (main.c:54)
==4653==    by 0x10C0EA: main (main.c:217)
==4653==  If you believe this happened as a result of a stack
==4653==  overflow in your program's main thread (unlikely but
==4653==  possible), you can try to increase the size of the
==4653==  main thread stack using the --main-stacksize= flag.
==4653==  The main thread stack size used in this run was 8388608.
==4653== 
==4653== HEAP SUMMARY:
==4653==     in use at exit: 0 bytes in 0 blocks
==4653==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==4653== 
==4653== All heap blocks were freed -- no leaks are possible
==4653== 
==4653== For counts of detected and suppressed errors, rerun with: -v
==4653== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    4653 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_I32_LOAD16_S: wasm_interp_call_func_bytecode (wasm_interp.c:1152)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1152)
case: WASM_OP_I32_LOAD16_S

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Heap out of bounds read - WASM_OP_I64_STORE: wasm_interp_call_func_bytecode (wasm_interp.c:1189)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1189)
case: WASM_OP_I64_STORE

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Heap out of bounds read - WASM_OP_I64_STORE8: wasm_interp_call_func_bytecode (wasm_interp.c:1230)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1230)
case: WASM_OP_I64_STORE8

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    23333 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810dc --> 0x0 
RCX: 0x0 
RDX: 0x41 ('A')
RSI: 0x7fffffffce0c --> 0xffffd0e000000001 
RDI: 0x5555557810e0 --> 0x100000000 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x555555564068 (<wasm_interp_call_func_bytecode+19497>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x0 
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f163 --> 0xbc85e44100c14103 
R13: 0x5555557810fc --> 0x7f03 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555564056 <wasm_interp_call_func_bytecode+19479>:	jbe    0x5555555640e4 <wasm_interp_call_func_bytecode+19621>
   0x55555556405c <wasm_interp_call_func_bytecode+19485>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555564061 <wasm_interp_call_func_bytecode+19490>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x555555564068 <wasm_interp_call_func_bytecode+19497>:	mov    rdx,QWORD PTR [rax+0x18]
   0x55555556406c <wasm_interp_call_func_bytecode+19501>:	mov    ecx,DWORD PTR [rbp-0x6b0]
   0x555555564072 <wasm_interp_call_func_bytecode+19507>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555564079 <wasm_interp_call_func_bytecode+19514>:	mov    eax,DWORD PTR [rax+0x30]
   0x55555556407c <wasm_interp_call_func_bytecode+19517>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x1007f3c01 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555564068 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1230
1230	        DEF_OP_STORE(uint64, I64, *(uint8*)maddr = (uint8)sval);
#0  0x0000555555564068 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1230
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==23329== Memcheck, a memory error detector
==23329== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23329== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==23329== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x5555555640f9/PoC.wasm
==23329== 
==23329== Invalid read of size 8
==23329==    at 0x118068: wasm_interp_call_func_bytecode (wasm_interp.c:1230)
==23329==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==23329==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==23329==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==23329==    by 0x10BAD7: app_instance_main (main.c:54)
==23329==    by 0x10C0EA: main (main.c:217)
==23329==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==23329== 
==23329== 
==23329== Process terminating with default action of signal 11 (SIGSEGV)
==23329==  Access not within mapped region at address 0x18
==23329==    at 0x118068: wasm_interp_call_func_bytecode (wasm_interp.c:1230)
==23329==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==23329==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==23329==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==23329==    by 0x10BAD7: app_instance_main (main.c:54)
==23329==    by 0x10C0EA: main (main.c:217)
==23329==  If you believe this happened as a result of a stack
==23329==  overflow in your program's main thread (unlikely but
==23329==  possible), you can try to increase the size of the
==23329==  main thread stack using the --main-stacksize= flag.
==23329==  The main thread stack size used in this run was 8388608.
==23329== 
==23329== HEAP SUMMARY:
==23329==     in use at exit: 0 bytes in 0 blocks
==23329==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==23329== 
==23329== All heap blocks were freed -- no leaks are possible
==23329== 
==23329== For counts of detected and suppressed errors, rerun with: -v
==23329== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    23329 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_F32_LOAD: wasm_interp_call_func_bytecode (wasm_interp.c:1136)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1136)
case: WASM_OP_F32_LOAD

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    29148 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555555781104 --> 0x300000001 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x5555555618f0 (<wasm_interp_call_func_bytecode+9393>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x1a 
R9 : 0x7fffffffd1d0 --> 0x55555577f177 --> 0x200b1a2a4800210b 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f17e --> 0x616e0417000b0020 
R13: 0x5555557810fc --> 0x100000042 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555618de <wasm_interp_call_func_bytecode+9375>:	jbe    0x55555556196c <wasm_interp_call_func_bytecode+9517>
   0x5555555618e4 <wasm_interp_call_func_bytecode+9381>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x5555555618e9 <wasm_interp_call_func_bytecode+9386>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555618f0 <wasm_interp_call_func_bytecode+9393>:	mov    rdx,QWORD PTR [rax+0x18]
   0x5555555618f4 <wasm_interp_call_func_bytecode+9397>:	mov    ecx,DWORD PTR [rbp-0x584]
   0x5555555618fa <wasm_interp_call_func_bytecode+9403>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555561901 <wasm_interp_call_func_bytecode+9410>:	mov    eax,DWORD PTR [rax+0x30]
   0x555555561904 <wasm_interp_call_func_bytecode+9413>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0x7f00c50000019000 
0040| 0x7fffffffce08 --> 0x17f7f2a01 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x11c00000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555618f0 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1136
1136	        DEF_OP_LOAD(PUSH_F32(*(float32*)maddr));
#0  0x00005555555618f0 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1136
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==29146== Memcheck, a memory error detector
==29146== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==29146== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==29146== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555561981/PoC.wasm
==29146== 
==29146== Invalid read of size 8
==29146==    at 0x1158F0: wasm_interp_call_func_bytecode (wasm_interp.c:1136)
==29146==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==29146==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==29146==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==29146==    by 0x10BAD7: app_instance_main (main.c:54)
==29146==    by 0x10C0EA: main (main.c:217)
==29146==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==29146== 
==29146== 
==29146== Process terminating with default action of signal 11 (SIGSEGV)
==29146==  Access not within mapped region at address 0x18
==29146==    at 0x1158F0: wasm_interp_call_func_bytecode (wasm_interp.c:1136)
==29146==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==29146==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==29146==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==29146==    by 0x10BAD7: app_instance_main (main.c:54)
==29146==    by 0x10C0EA: main (main.c:217)
==29146==  If you believe this happened as a result of a stack
==29146==  overflow in your program's main thread (unlikely but
==29146==  possible), you can try to increase the size of the
==29146==  main thread stack using the --main-stacksize= flag.
==29146==  The main thread stack size used in this run was 8388608.
==29146== 
==29146== HEAP SUMMARY:
==29146==     in use at exit: 0 bytes in 0 blocks
==29146==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==29146== 
==29146== All heap blocks were freed -- no leaks are possible
==29146== 
==29146== For counts of detected and suppressed errors, rerun with: -v
==29146== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    29146 segmentation fault  valgrind ./iwasm

iwasm failed to parse wasm binary on big endian targets

It reports: "magic header not detected".

This was seen on a PowerPC target running iwasm. Suspect it is related to endianness.

Heap out of bounds read - WASM_OP_F64_LOAD: wasm_interp_call_func_bytecode (wasm_interp.c:1140)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1140)
case: WASM_OP_F64_LOAD

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash


[1]    13909 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x55555578110c --> 0xb0f02e400000042 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x555555561b12 (<wasm_interp_call_func_bytecode+9939>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x21 ('!')
R9 : 0x7fffffffd1d0 --> 0x55555577f17d --> 0x6e0417000b00200b 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f17a --> 0xb00200bc0c0c1 
R13: 0x5555557810fc --> 0x100000000 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555561b00 <wasm_interp_call_func_bytecode+9921>:	jbe    0x555555561b8e <wasm_interp_call_func_bytecode+10063>
   0x555555561b06 <wasm_interp_call_func_bytecode+9927>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555561b0b <wasm_interp_call_func_bytecode+9932>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x555555561b12 <wasm_interp_call_func_bytecode+9939>:	mov    rdx,QWORD PTR [rax+0x18]
   0x555555561b16 <wasm_interp_call_func_bytecode+9943>:	mov    ecx,DWORD PTR [rbp-0x594]
   0x555555561b1c <wasm_interp_call_func_bytecode+9949>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555561b23 <wasm_interp_call_func_bytecode+9956>:	mov    eax,DWORD PTR [rax+0x30]
   0x555555561b26 <wasm_interp_call_func_bytecode+9959>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x17f7f2b01 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x11c00000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555561b12 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1140
1140	        DEF_OP_LOAD(PUSH_F64(GET_F64_FROM_ADDR((uint32*)maddr)));
#0  0x0000555555561b12 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1140
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==13906== Memcheck, a memory error detector
==13906== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==13906== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==13906== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555561ba3/PoC.wasm
==13906== 
==13906== Invalid read of size 8
==13906==    at 0x115B12: wasm_interp_call_func_bytecode (wasm_interp.c:1140)
==13906==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==13906==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==13906==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==13906==    by 0x10BAD7: app_instance_main (main.c:54)
==13906==    by 0x10C0EA: main (main.c:217)
==13906==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==13906== 
==13906== 
==13906== Process terminating with default action of signal 11 (SIGSEGV)
==13906==  Access not within mapped region at address 0x18
==13906==    at 0x115B12: wasm_interp_call_func_bytecode (wasm_interp.c:1140)
==13906==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==13906==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==13906==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==13906==    by 0x10BAD7: app_instance_main (main.c:54)
==13906==    by 0x10C0EA: main (main.c:217)
==13906==  If you believe this happened as a result of a stack
==13906==  overflow in your program's main thread (unlikely but
==13906==  possible), you can try to increase the size of the
==13906==  main thread stack using the --main-stacksize= flag.
==13906==  The main thread stack size used in this run was 8388608.
==13906== 
==13906== HEAP SUMMARY:
==13906==     in use at exit: 0 bytes in 0 blocks
==13906==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==13906== 
==13906== All heap blocks were freed -- no leaks are possible
==13906== 
==13906== For counts of detected and suppressed errors, rerun with: -v
==13906== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    13906 segmentation fault  valgrind ./iwasm

api：should an app close the connection when it received a CONN_EVENT_TYPE_DISCONNECT event?

This question is from the sample wasm-micro-runtime/samples/simple/wasm-apps/connection.c.

There is no iwasm/products/linux/bin directory

There is no iwasm/products/linux/bin directory, iwasm directory is iwasm/products/linux/build/iwasm.
This is inconsistent with the description in the readme documentation:

cd iwasm/products/linux/bin
./iwasm test.wasm

Heap out of bounds read - WASM_OP_I64_STORE16: wasm_interp_call_func_bytecode (wasm_interp.c:1234)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1234)
case: WASM_OP_I64_STORE16

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Heap out of bounds read - WASM_OP_F64_STORE: wasm_interp_call_func_bytecode (wasm_interp.c:1214)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1214)
case: WASM_OP_F64_STORE

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    9250 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810d8 --> 0x5555 ('UU')
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x5555555639da (<wasm_interp_call_func_bytecode+17819>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x1 
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f161 --> 0xe44100c141034102 
R13: 0x5555557810fc --> 0x7f03 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555639c8 <wasm_interp_call_func_bytecode+17801>:	jbe    0x555555563a56 <wasm_interp_call_func_bytecode+17943>
   0x5555555639ce <wasm_interp_call_func_bytecode+17807>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x5555555639d3 <wasm_interp_call_func_bytecode+17812>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555639da <wasm_interp_call_func_bytecode+17819>:	mov    rdx,QWORD PTR [rax+0x18]
   0x5555555639de <wasm_interp_call_func_bytecode+17823>:	mov    ecx,DWORD PTR [rbp-0x678]
   0x5555555639e4 <wasm_interp_call_func_bytecode+17829>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x5555555639eb <wasm_interp_call_func_bytecode+17836>:	mov    eax,DWORD PTR [rax+0x30]
   0x5555555639ee <wasm_interp_call_func_bytecode+17839>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x1007f3901 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555639da in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1214
1214	          CHECK_MEMORY_OVERFLOW();
#0  0x00005555555639da in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1214
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==9227== Memcheck, a memory error detector
==9227== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==9227== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==9227== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555563a6b/PoC.wasm
==9227== 
==9227== Invalid read of size 8
==9227==    at 0x1179DA: wasm_interp_call_func_bytecode (wasm_interp.c:1214)
==9227==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==9227==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==9227==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==9227==    by 0x10BAD7: app_instance_main (main.c:54)
==9227==    by 0x10C0EA: main (main.c:217)
==9227==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==9227== 
==9227== 
==9227== Process terminating with default action of signal 11 (SIGSEGV)
==9227==  Access not within mapped region at address 0x18
==9227==    at 0x1179DA: wasm_interp_call_func_bytecode (wasm_interp.c:1214)
==9227==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==9227==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==9227==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==9227==    by 0x10BAD7: app_instance_main (main.c:54)
==9227==    by 0x10C0EA: main (main.c:217)
==9227==  If you believe this happened as a result of a stack
==9227==  overflow in your program's main thread (unlikely but
==9227==  possible), you can try to increase the size of the
==9227==  main thread stack using the --main-stacksize= flag.
==9227==  The main thread stack size used in this run was 8388608.
==9227== 
==9227== HEAP SUMMARY:
==9227==     in use at exit: 0 bytes in 0 blocks
==9227==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==9227== 
==9227== All heap blocks were freed -- no leaks are possible
==9227== 
==9227== For counts of detected and suppressed errors, rerun with: -v
==9227== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    9227 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_I64_STORE32: wasm_interp_call_func_bytecode (wasm_interp.c:1238)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1238)
case: WASM_OP_I64_STORE32

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Heap out of bounds read - WASM_OP_I64_LOAD16_S: wasm_interp_call_func_bytecode (wasm_interp.c:1168)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1168)
case: WASM_OP_I64_LOAD16_S

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Heap out of bounds read - WASM_OP_I64_LOAD32_U: wasm_interp_call_func_bytecode (wasm_interp.c:1180)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1180)
case: WASM_OP_I64_LOAD32_U

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash


[1]    24317 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810e4 --> 0x0 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x55555556310e (<wasm_interp_call_func_bytecode+15567>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x1 
R9 : 0x7fffffffd748 --> 0x55555578105c --> 0xa0004008 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f161 --> 0xe44100c141034102 
R13: 0x5555557810fc --> 0x7f03 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555630fc <wasm_interp_call_func_bytecode+15549>:	jbe    0x55555556318a <wasm_interp_call_func_bytecode+15691>
   0x555555563102 <wasm_interp_call_func_bytecode+15555>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555563107 <wasm_interp_call_func_bytecode+15560>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x55555556310e <wasm_interp_call_func_bytecode+15567>:	mov    rdx,QWORD PTR [rax+0x18]
   0x555555563112 <wasm_interp_call_func_bytecode+15571>:	mov    ecx,DWORD PTR [rbp-0x634]
   0x555555563118 <wasm_interp_call_func_bytecode+15577>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x55555556311f <wasm_interp_call_func_bytecode+15584>:	mov    eax,DWORD PTR [rax+0x30]
   0x555555563122 <wasm_interp_call_func_bytecode+15587>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x1007f3501 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x8400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556310e in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1180
1180	        DEF_OP_LOAD(PUSH_I64((uint64)(*(uint32*)maddr)));
#0  0x000055555556310e in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1180
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==24315== Memcheck, a memory error detector
==24315== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==24315== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==24315== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556319f/PoC.wasm
==24315== 
==24315== Invalid read of size 8
==24315==    at 0x11710E: wasm_interp_call_func_bytecode (wasm_interp.c:1180)
==24315==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==24315==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==24315==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==24315==    by 0x10BAD7: app_instance_main (main.c:54)
==24315==    by 0x10C0EA: main (main.c:217)
==24315==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==24315== 
==24315== 
==24315== Process terminating with default action of signal 11 (SIGSEGV)
==24315==  Access not within mapped region at address 0x18
==24315==    at 0x11710E: wasm_interp_call_func_bytecode (wasm_interp.c:1180)
==24315==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==24315==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==24315==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==24315==    by 0x10BAD7: app_instance_main (main.c:54)
==24315==    by 0x10C0EA: main (main.c:217)
==24315==  If you believe this happened as a result of a stack
==24315==  overflow in your program's main thread (unlikely but
==24315==  possible), you can try to increase the size of the
==24315==  main thread stack using the --main-stacksize= flag.
==24315==  The main thread stack size used in this run was 8388608.
==24315== 
==24315== HEAP SUMMARY:
==24315==     in use at exit: 0 bytes in 0 blocks
==24315==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==24315== 
==24315== All heap blocks were freed -- no leaks are possible
==24315== 
==24315== For counts of detected and suppressed errors, rerun with: -v
==24315== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    24315 segmentation fault  valgrind ./iwasm

Provide an example/tools on how to compile source code without emscripten.

emscripten is basically llvm + a runtime lib for browser

if this project already provides the runtime then there is no need for emscripten in the toolchain

furthermore, the latest llvm already provides some improvements in this regard

I was able to do this some time ago (compile a minimal .wasm program with only llvm) but it was a very tricky endeavour so if other developers want to achieve the same thing they would have to walk through stones to accomplish it

so, a working an example and pipeline for compiling without emscripten would be a nice addition to this repository

Heap out of bounds read - WASM_OP_I64_LOAD8_S: wasm_interp_call_func_bytecode (wasm_interp.c:1160)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1160)
case: WASM_OP_I64_LOAD8_S

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Dockerfile for development

I put together a simple Dockerfile so that I can easily develop on my macOS machine, found here: https://github.com/beriberikix/wamr-docker

Is there any interest in including it? I added the test.c from the README since it isn't in the main repo, but can easily remove it before merging.

Heap out of bounds read - WASM_OP_F32_STORE: wasm_interp_call_func_bytecode (wasm_interp.c:1200)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1200)
case: WASM_OP_F32_STORE / CHECK_MEMORY_OVERFLOW();

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    28378 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810fc --> 0x17000b0000000042 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x5555555637be (<wasm_interp_call_func_bytecode+17279>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x6e ('n')
R9 : 0x7fffffffd1d0 --> 0x55555577f177 --> 0x430bc0c0c000210b 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f186 --> 0x6d0400010701656d 
R13: 0x5555557810fc --> 0x17000b0000000042 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555637ac <wasm_interp_call_func_bytecode+17261>:	jbe    0x55555556383a <wasm_interp_call_func_bytecode+17403>
   0x5555555637b2 <wasm_interp_call_func_bytecode+17267>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x5555555637b7 <wasm_interp_call_func_bytecode+17272>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x5555555637be <wasm_interp_call_func_bytecode+17279>:	mov    rdx,QWORD PTR [rax+0x18]
   0x5555555637c2 <wasm_interp_call_func_bytecode+17283>:	mov    ecx,DWORD PTR [rbp-0x668]
   0x5555555637c8 <wasm_interp_call_func_bytecode+17289>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x5555555637cf <wasm_interp_call_func_bytecode+17296>:	mov    eax,DWORD PTR [rax+0x30]
   0x5555555637d2 <wasm_interp_call_func_bytecode+17299>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0x7f00c50000019000 
0040| 0x7fffffffce08 --> 0x17f7f3801 
0048| 0x7fffffffce10 --> 0x7fff00000004 
0056| 0x7fffffffce18 --> 0x11c00000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555637be in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1200
1200	          CHECK_MEMORY_OVERFLOW();
#0  0x00005555555637be in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1200
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==28367== Memcheck, a memory error detector
==28367== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==28367== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==28367== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556384f/PoC.wasm
==28367== 
==28367== Invalid read of size 8
==28367==    at 0x1177BE: wasm_interp_call_func_bytecode (wasm_interp.c:1200)
==28367==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==28367==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==28367==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==28367==    by 0x10BAD7: app_instance_main (main.c:54)
==28367==    by 0x10C0EA: main (main.c:217)
==28367==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==28367== 
==28367== 
==28367== Process terminating with default action of signal 11 (SIGSEGV)
==28367==  Access not within mapped region at address 0x18
==28367==    at 0x1177BE: wasm_interp_call_func_bytecode (wasm_interp.c:1200)
==28367==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==28367==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==28367==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==28367==    by 0x10BAD7: app_instance_main (main.c:54)
==28367==    by 0x10C0EA: main (main.c:217)
==28367==  If you believe this happened as a result of a stack
==28367==  overflow in your program's main thread (unlikely but
==28367==  possible), you can try to increase the size of the
==28367==  main thread stack using the --main-stacksize= flag.
==28367==  The main thread stack size used in this run was 8388608.
==28367== 
==28367== HEAP SUMMARY:
==28367==     in use at exit: 0 bytes in 0 blocks
==28367==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==28367== 
==28367== All heap blocks were freed -- no leaks are possible
==28367== 
==28367== For counts of detected and suppressed errors, rerun with: -v
==28367== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    28367 segmentation fault  valgrind ./iwasm

Failed to build for 64bit target

The 32bit build is successful. However after changing cmake variable BUILD_AS_64BIT_SUPPORT from "NO" to "YES" to enable 64bit build, the make will fail with below message:

[ 24%] Building C object CMakeFiles/vmlib.dir/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c.o
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c:329:23: error: ‘get_va_list’ declared as function returning an array
 static inline va_list get_va_list(uint32 *args)
                       ^~~~~~~~~~~
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c: In function ‘get_va_list’:
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c:336:8: warning: returning ‘__va_list_tag *’ from a function with return type ‘int’ makes integer from pointer without a cast [-Wint-conversion]
 return u.v;
        ^
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c:336:8: warning: function returns address of local variable [-Wreturn-local-addr]
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c: In function ‘parse_printf_args’:
/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c:356:12: error: assignment to expression with array type
 *p_va_args = u.v;
            ^
make[2]: *** [CMakeFiles/vmlib.dir/build.make:219: CMakeFiles/vmlib.dir/home/terry/wasm/wasm-micro-runtime/core/iwasm/lib/native/libc/libc_wrapper.c.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:147: CMakeFiles/vmlib.dir/all] Error 2
make: *** [Makefile:130: all] Error 2

I am working on Ubuntu with GCC 8.3.

Segmentation fault - WASM_OP_ELSE: wasm_interp_call_func_bytecode (wasm_interp.c:825)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Segmentation fault in wasm_interp_call_func_bytecode (wasm_interp.c:825)
case: WASM_OP_ELSE

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

macOS version at some point ?

Heap out of bounds read in __syscall3_wrapper (wasm_native.c:140)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in __syscall3_wrapper (wasm_native.c:140)

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash


[1]    22055 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x5555557c2718 --> 0x1d68 
RBX: 0x5555557c537c --> 0x2000000092 
RCX: 0x555555782478 --> 0x0 
RDX: 0xffffffff 
RSI: 0x555555782478 --> 0x0 
RDI: 0x5555557c2718 --> 0x1d68 
RBP: 0x7fffffffcc20 --> 0x7fffffffcc50 --> 0x7fffffffccd0 --> 0x7fffffffcdd0 --> 0x7fffffffd6c0 --> 0x7fffffffd7b0 (--> ...)
RSP: 0x7fffffffcbc8 --> 0x55555555e00d (<__syscall3_wrapper+410>:	mov    rax,QWORD PTR [rbp-0x28])
RIP: 0x7ffff75b5cf4 (<__memmove_avx_unaligned_erms+548>:	vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20])
R8 : 0x0 
R9 : 0x7fffffffd1d0 --> 0x55555577f41c --> 0x7f027f02012e0b0b 
R10: 0x0 
R11: 0x5555557c4b28 --> 0x100000001 
R12: 0x55555577f411 --> 0xb0041057f417f04 
R13: 0x5555557c5368 --> 0x2000000001 
R14: 0x5555557c4d94 --> 0x2a88ffffffff 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff75b5ce5 <__memmove_avx_unaligned_erms+533>:	vmovdqu ymm5,YMMWORD PTR [rsi+0x20]
   0x7ffff75b5cea <__memmove_avx_unaligned_erms+538>:	vmovdqu ymm6,YMMWORD PTR [rsi+0x40]
   0x7ffff75b5cef <__memmove_avx_unaligned_erms+543>:	vmovdqu ymm7,YMMWORD PTR [rsi+0x60]
=> 0x7ffff75b5cf4 <__memmove_avx_unaligned_erms+548>:	vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20]
   0x7ffff75b5cfa <__memmove_avx_unaligned_erms+554>:	lea    r11,[rdi+rdx*1-0x20]
   0x7ffff75b5cff <__memmove_avx_unaligned_erms+559>:	lea    rcx,[rsi+rdx*1-0x20]
   0x7ffff75b5d04 <__memmove_avx_unaligned_erms+564>:	mov    r9,r11
   0x7ffff75b5d07 <__memmove_avx_unaligned_erms+567>:	mov    r8,r11
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcbc8 --> 0x55555555e00d (<__syscall3_wrapper+410>:	mov    rax,QWORD PTR [rbp-0x28])
0008| 0x7fffffffcbd0 --> 0x2 
0016| 0x7fffffffcbd8 --> 0x9200000001 
0024| 0x7fffffffcbe0 --> 0x100000000 
0032| 0x7fffffffcbe8 --> 0x0 
0040| 0x7fffffffcbf0 --> 0x4000029800000002 
0048| 0x7fffffffcbf8 --> 0x555555782480 --> 0xffffffff00000000 
0056| 0x7fffffffcc00 --> 0x5555557822c8 --> 0x100000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:427
427	../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:427
#1  0x000055555555e00d in __syscall3_wrapper (arg0=0x92, arg1=0x1, arg2=0x0, arg3=0x2) at XYZ/wasm-micro-runtime/core/iwasm/runtime/platform/linux/wasm_native.c:140
#2  0x000055555555e453 in ___syscall146_wrapper (_id=0x92, args_off=0x20) at XYZ/wasm-micro-runtime/core/iwasm/runtime/platform/linux/wasm_native.c:234
#3  0x0000555555576613 in invokeNative (argv=0x7fffffffcd40, argc=0x2, native_code=0x55555555e3d8 <___syscall146_wrapper>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/invokeNative_general.c:30
#4  0x000055555555f264 in wasm_interp_call_func_native (self=0x5555557823c8 <global_heap_buf+13608>, cur_func=0x555555781338 <global_heap_buf+9368>, prev_frame=0x5555557c5320 <global_heap_buf+287872>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:665
#5  0x0000555555567e83 in wasm_interp_call_func_bytecode (self=0x5555557823c8 <global_heap_buf+13608>, cur_func=0x555555781338 <global_heap_buf+9368>, prev_frame=0x5555557c5320 <global_heap_buf+287872>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2032
#6  0x00005555555686fd in wasm_interp_call_wasm (function=0x5555557813c8 <global_heap_buf+9512>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#7  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x5555557822c8 <global_heap_buf+13352>, exec_env=0x0, function=0x5555557813c8 <global_heap_buf+9512>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#8  0x0000555555558842 in wasm_application_execute_main (module_inst=0x5555557822c8 <global_heap_buf+13352>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#9  0x0000555555557ad8 in app_instance_main (module_inst=0x5555557822c8 <global_heap_buf+13352>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#10 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#11 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#12 0x000055555555798a in _start ()

Valgrind

==22053== Memcheck, a memory error detector
==22053== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==22053== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==22053== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x7ffff75b5cf4/PoC.wasm
==22053== 
==22053== Invalid read of size 1
==22053==    at 0x4C3686D: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22053==    by 0x11200C: __syscall3_wrapper (wasm_native.c:140)
==22053==    by 0x112452: ___syscall146_wrapper (wasm_native.c:234)
==22053==    by 0x12A612: invokeNative (invokeNative_general.c:30)
==22053==    by 0x113263: wasm_interp_call_func_native (wasm_interp.c:665)
==22053==    by 0x11BE82: wasm_interp_call_func_bytecode (wasm_interp.c:2032)
==22053==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==22053==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==22053==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==22053==    by 0x10BAD7: app_instance_main (main.c:54)
==22053==    by 0x10C0EA: main (main.c:217)
==22053==  Address 0x100336476 is not stack'd, malloc'd or (recently) free'd
==22053== 
==22053== 
==22053== Process terminating with default action of signal 11 (SIGSEGV)
==22053==  Access not within mapped region at address 0x100336476
==22053==    at 0x4C3686D: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22053==    by 0x11200C: __syscall3_wrapper (wasm_native.c:140)
==22053==    by 0x112452: ___syscall146_wrapper (wasm_native.c:234)
==22053==    by 0x12A612: invokeNative (invokeNative_general.c:30)
==22053==    by 0x113263: wasm_interp_call_func_native (wasm_interp.c:665)
==22053==    by 0x11BE82: wasm_interp_call_func_bytecode (wasm_interp.c:2032)
==22053==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==22053==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==22053==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==22053==    by 0x10BAD7: app_instance_main (main.c:54)
==22053==    by 0x10C0EA: main (main.c:217)
==22053==  If you believe this happened as a result of a stack
==22053==  overflow in your program's main thread (unlikely but
==22053==  possible), you can try to increase the size of the
==22053==  main thread stack using the --main-stacksize= flag.
==22053==  The main thread stack size used in this run was 8388608.
==22053== 
==22053== HEAP SUMMARY:
==22053==     in use at exit: 0 bytes in 0 blocks
==22053==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==22053== 
==22053== All heap blocks were freed -- no leaks are possible
==22053== 
==22053== For counts of detected and suppressed errors, rerun with: -v
==22053== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    22053 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_I32_STORE16: wasm_interp_call_func_bytecode (wasm_interp.c:1226)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1226)
case: WASM_OP_I32_STORE16

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    14488 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555555781108 --> 0x4200000003 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x555555563e37 (<wasm_interp_call_func_bytecode+18936>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x21 ('!')
R9 : 0x7fffffffd1d0 --> 0x55555577f17d --> 0x6e0417000b00200b 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f17d --> 0x6e0417000b00200b 
R13: 0x5555557810fc --> 0x100000000 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555563e25 <wasm_interp_call_func_bytecode+18918>:	jbe    0x555555563eb3 <wasm_interp_call_func_bytecode+19060>
   0x555555563e2b <wasm_interp_call_func_bytecode+18924>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555563e30 <wasm_interp_call_func_bytecode+18929>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x555555563e37 <wasm_interp_call_func_bytecode+18936>:	mov    rdx,QWORD PTR [rax+0x18]
   0x555555563e3b <wasm_interp_call_func_bytecode+18940>:	mov    ecx,DWORD PTR [rbp-0x69c]
   0x555555563e41 <wasm_interp_call_func_bytecode+18946>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555563e48 <wasm_interp_call_func_bytecode+18953>:	mov    eax,DWORD PTR [rax+0x30]
   0x555555563e4b <wasm_interp_call_func_bytecode+18956>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc50000019000 
0040| 0x7fffffffce08 --> 0x47f7f3b01 
0048| 0x7fffffffce10 --> 0x7fffffffd0e0 --> 0x7fffffffd110 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce18 --> 0x11c00000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555563e37 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1226
1226	        DEF_OP_STORE(uint32, I32, *(uint16*)maddr = (uint16)sval);
#0  0x0000555555563e37 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1226
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==14486== Memcheck, a memory error detector
==14486== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==14486== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==14486== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555563ec8/PoC.wasm
==14486== 
==14486== Invalid read of size 8
==14486==    at 0x117E37: wasm_interp_call_func_bytecode (wasm_interp.c:1226)
==14486==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==14486==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==14486==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==14486==    by 0x10BAD7: app_instance_main (main.c:54)
==14486==    by 0x10C0EA: main (main.c:217)
==14486==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==14486== 
==14486== 
==14486== Process terminating with default action of signal 11 (SIGSEGV)
==14486==  Access not within mapped region at address 0x18
==14486==    at 0x117E37: wasm_interp_call_func_bytecode (wasm_interp.c:1226)
==14486==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==14486==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==14486==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==14486==    by 0x10BAD7: app_instance_main (main.c:54)
==14486==    by 0x10C0EA: main (main.c:217)
==14486==  If you believe this happened as a result of a stack
==14486==  overflow in your program's main thread (unlikely but
==14486==  possible), you can try to increase the size of the
==14486==  main thread stack using the --main-stacksize= flag.
==14486==  The main thread stack size used in this run was 8388608.
==14486== 
==14486== HEAP SUMMARY:
==14486==     in use at exit: 0 bytes in 0 blocks
==14486==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==14486== 
==14486== All heap blocks were freed -- no leaks are possible
==14486== 
==14486== For counts of detected and suppressed errors, rerun with: -v
==14486== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    14486 segmentation fault  valgrind ./iwasm

Assertion failed in wasm_interp_call_func_bytecode (wasm_interp.c:849)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Assertion failed in wasm_interp_call_func_bytecode (wasm_interp.c:849)

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

iwasm: XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:849: wasm_interp_call_func_bytecode: Assertion `frame_csp - depth + 1 >= frame->csp_bottom' failed.

Heap out of bounds read - WASM_OP_I64_LOAD: wasm_interp_call_func_bytecode (wasm_interp.c:1132)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1132)
case: WASM_OP_I64_LOAD

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Heap out of bounds read - WASM_OP_I64_LOAD8_U: Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1164)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1164)
case: WASM_OP_I64_LOAD8_U

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Assertion failed in load_type_section (wasm_loader.c:259)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Assertion failed in load_type_section (wasm_loader.c:259)

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

iwasm: XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:259: load_type_section: Assertion `result_count <= 1' failed.
[1]    2373 abort      ./iwasm

Null pointer dereference - wasm_interp_call_wasm (wasm_interp.c:2158)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Null pointer dereference in wasm_interp_call_wasm (wasm_interp.c:2158)

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash



[1]    19875 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810b0 --> 0x0 
RCX: 0x557810ec 
RDX: 0x720 
RSI: 0x7fffffffce1c --> 0xffffd0f000000001 
RDI: 0x5555557810b0 --> 0x0 
RBP: 0x7fffffffd6d0 --> 0x7fffffffd7c0 --> 0x7fffffffd810 --> 0x7fffffffd890 --> 0x7fffffffd8c0 --> 0x7fffffffd9b0 (--> ...)
RSP: 0x7fffffffcdf0 --> 0x219000 
RIP: 0x0 
R8 : 0x0 
R9 : 0x7fffffffd758 --> 0x55555578101c --> 0xa0004008 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f15f --> 0x417f044600d8bc85 
R13: 0x5555557810bc --> 0xfffffff6 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcdf0 --> 0x219000 
0008| 0x7fffffffcdf8 --> 0x555555781020 --> 0x0 
0016| 0x7fffffffce00 --> 0x555555780d78 --> 0x100000000 
0024| 0x7fffffffce08 --> 0x555555780fc8 --> 0x0 
0032| 0x7fffffffce10 --> 0xc50000019000 
0040| 0x7fffffffce18 --> 0x1007f0001 
0048| 0x7fffffffce20 --> 0x7fffffffd0f0 --> 0x7fffffffd120 --> 0x7ffff7fcf9c0 ("/lib/x86_64-linux-gnu/libc.so.6")
0056| 0x7fffffffce28 --> 0x8400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000000000 in ?? ()
#0  0x0000000000000000 in ?? ()
#1  0x0000000000219000 in ?? ()
#2  0x0000555555781020 in global_heap_buf ()
#3  0x0000555555780d78 in global_heap_buf ()
#4  0x0000555555780fc8 in global_heap_buf ()
#5  0x0000c50000019000 in ?? ()
#6  0x00000001007f0001 in ?? ()
#7  0x00007fffffffd0f0 in ?? ()
#8  0x0000008400000000 in ?? ()
#9  0x00007fff0000000c in ?? ()
#10 0x0000000000000002 in ?? ()
#11 0x000000000000fd01 in ?? ()
#12 0x00007ffff7ddbead in _dl_map_segments (loader=<optimized out>, has_holes=<optimized out>, maplength=<optimized out>, nloadcmds=0x0, loadcmds=<optimized out>, type=<optimized out>, header=<optimized out>, fd=<optimized out>, l=0x5555557810b0 <global_heap_buf+8720>) at ./dl-map-segments.h:131
#13 _dl_map_object_from_fd (name=<optimized out>, origname=<optimized out>, fd=<optimized out>, fbp=<optimized out>, realname=<optimized out>, loader=<optimized out>, l_type=<optimized out>, mode=<optimized out>, stack_endp=<optimized out>, nsid=<optimized out>) at dl-load.c:1126
#14 0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d78 <global_heap_buf+7896>, argc=0x0, argv=0x7fffffffd880) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#15 0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780ec8 <global_heap_buf+8232>, exec_env=0x0, function=0x555555780d78 <global_heap_buf+7896>, argc=0x0, argv=0x7fffffffd880) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#16 0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780ec8 <global_heap_buf+8232>, argc=0x1, argv=0x7fffffffdaa0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#17 0x0000555555557ad8 in app_instance_main (module_inst=0x555555780ec8 <global_heap_buf+8232>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#18 0x00005555555580eb in main (argc=0x1, argv=0x7fffffffdaa0) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#19 0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda88) at ../csu/libc-start.c:310
#20 0x000055555555798a in _start ()

Valgrind

==19851== Memcheck, a memory error detector
==19851== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==19851== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==19851== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x0/PoC.wasm
==19851== 
==19851== Jump to the invalid address stated on the next line
==19851==    at 0x0: ???
==19851==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==19851==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==19851==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==19851==    by 0x10BAD7: app_instance_main (main.c:54)
==19851==    by 0x10C0EA: main (main.c:217)
==19851==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==19851== 
==19851== 
==19851== Process terminating with default action of signal 11 (SIGSEGV)
==19851==  Bad permissions for mapped region at address 0x0
==19851==    at 0x0: ???
==19851==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==19851==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==19851==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==19851==    by 0x10BAD7: app_instance_main (main.c:54)
==19851==    by 0x10C0EA: main (main.c:217)
==19851== 
==19851== HEAP SUMMARY:
==19851==     in use at exit: 0 bytes in 0 blocks
==19851==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==19851== 
==19851== All heap blocks were freed -- no leaks are possible
==19851== 
==19851== For counts of detected and suppressed errors, rerun with: -v
==19851== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    19851 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_I32_LOAD16_U: wasm_interp_call_func_bytecode (wasm_interp.c:1156)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1156)
case: WASM_OP_I32_LOAD16_U

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Drop instruction not implemented

WASI support?

Hi 👋

Excellent initiative, great to see more Wasm runtimes from experienced vendors.

I was hoping to find out what your feelings/plans are around supporting WASI, Mozilla’s proposed systems interface for Wasm applications.

Thanks again for this project 🙂

Heap out of bounds read in wasm_runtime_get_func_code_end (wasm_runtime.h:221)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_runtime_get_func_code_end (wasm_runtime.h:221)

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    31428 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x50000000000000 ('')
RBX: 0x5555557835b0 --> 0x3 
RCX: 0x0 
RDX: 0x5555557834e4 --> 0x555555783490 --> 0x0 
RSI: 0x5555557834e4 --> 0x555555783490 --> 0x0 
RDI: 0x50000000000000 ('')
RBP: 0x7fffffffcd60 --> 0x7fffffffd650 --> 0x7fffffffd740 --> 0x7fffffffd790 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 (--> ...)
RSP: 0x7fffffffcd60 --> 0x7fffffffd650 --> 0x7fffffffd740 --> 0x7fffffffd790 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 (--> ...)
RIP: 0x55555555e9ac (<wasm_runtime_get_func_code_end+12>:	movzx  eax,BYTE PTR [rax])
R8 : 0x0 
R9 : 0x7fffffffd910 --> 0x7ffff7ffa268 (add    BYTE PTR ss:[rax],al)
R10: 0x0 
R11: 0x246 
R12: 0x55555577f220 --> 0xa00018b800000b0b 
R13: 0x5555557835b0 --> 0x3 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555555e9a1 <wasm_runtime_get_func_code_end+1>:	mov    rbp,rsp
   0x55555555e9a4 <wasm_runtime_get_func_code_end+4>:	mov    QWORD PTR [rbp-0x8],rdi
   0x55555555e9a8 <wasm_runtime_get_func_code_end+8>:	mov    rax,QWORD PTR [rbp-0x8]
=> 0x55555555e9ac <wasm_runtime_get_func_code_end+12>:	movzx  eax,BYTE PTR [rax]
   0x55555555e9af <wasm_runtime_get_func_code_end+15>:	test   al,al
   0x55555555e9b1 <wasm_runtime_get_func_code_end+17>:	je     0x55555555e9ba <wasm_runtime_get_func_code_end+26>
   0x55555555e9b3 <wasm_runtime_get_func_code_end+19>:	mov    eax,0x0
   0x55555555e9b8 <wasm_runtime_get_func_code_end+24>:	jmp    0x55555555e9d6 <wasm_runtime_get_func_code_end+54>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd60 --> 0x7fffffffd650 --> 0x7fffffffd740 --> 0x7fffffffd790 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 (--> ...)
0008| 0x7fffffffcd68 --> 0x55555556829d (<wasm_interp_call_func_bytecode+36446>:	mov    QWORD PTR [rbp-0x4d0],rax)
0016| 0x7fffffffcd70 --> 0x0 
0024| 0x7fffffffcd78 --> 0x555555783490 --> 0x0 
0032| 0x7fffffffcd80 --> 0x50000000000000 ('')
0040| 0x7fffffffcd88 --> 0x5555557813d8 --> 0x0 
0048| 0x7fffffffcd90 --> 0xc500003ec860 
0056| 0x7fffffffcd98 --> 0x100000ae0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555555e9ac in wasm_runtime_get_func_code_end (func=0x50000000000000) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.h:221
221	    return func->is_import_func
#0  0x000055555555e9ac in wasm_runtime_get_func_code_end (func=0x50000000000000) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.h:221
#1  0x000055555556829d in wasm_interp_call_func_bytecode (self=0x5555557813d8 <global_heap_buf+9528>, cur_func=0x50000000000000, prev_frame=0x555555783490 <global_heap_buf+17904>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2094
#2  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780f30 <global_heap_buf+8336>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#3  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x5555557812d8 <global_heap_buf+9272>, exec_env=0x0, function=0x555555780f30 <global_heap_buf+8336>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#4  0x000055555555a946 in execute_post_inst_function (module_inst=0x5555557812d8 <global_heap_buf+9272>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:707
#5  0x000055555555b554 in wasm_runtime_instantiate (module=0x55555577f228 <global_heap_buf+904>, stack_size=0x4000, heap_size=0x2000, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:950
#6  0x000055555555807b in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:203
#7  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#8  0x000055555555798a in _start ()

Valgrind

==31417== Memcheck, a memory error detector
==31417== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==31417== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==31417== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555555ea3d/PoC.wasm
==31417== 
==31417== Invalid read of size 1
==31417==    at 0x1129AC: wasm_runtime_get_func_code_end (wasm_runtime.h:221)
==31417==    by 0x11C29C: wasm_interp_call_func_bytecode (wasm_interp.c:2094)
==31417==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==31417==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==31417==    by 0x10E945: execute_post_inst_function (wasm_runtime.c:707)
==31417==    by 0x10F553: wasm_runtime_instantiate (wasm_runtime.c:950)
==31417==    by 0x10C07A: main (main.c:203)
==31417==  Address 0x50000000000001 is not stack'd, malloc'd or (recently) free'd
==31417== 
==31417== 
==31417== Process terminating with default action of signal 11 (SIGSEGV)
==31417==  General Protection Fault
==31417==    at 0x1129AC: wasm_runtime_get_func_code_end (wasm_runtime.h:221)
==31417==    by 0x11C29C: wasm_interp_call_func_bytecode (wasm_interp.c:2094)
==31417==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==31417==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==31417==    by 0x10E945: execute_post_inst_function (wasm_runtime.c:707)
==31417==    by 0x10F553: wasm_runtime_instantiate (wasm_runtime.c:950)
==31417==    by 0x10C07A: main (main.c:203)
==31417== 
==31417== HEAP SUMMARY:
==31417==     in use at exit: 0 bytes in 0 blocks
==31417==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==31417== 
==31417== All heap blocks were freed -- no leaks are possible
==31417== 
==31417== For counts of detected and suppressed errors, rerun with: -v
==31417== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    31417 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_CALL_INDIRECT: wasm_interp_call_func_bytecode (wasm_interp.c:906)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:906)
case: WASM_OP_CALL_INDIRECT

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    32292 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555555793364 --> 0x300000000 
RCX: 0x0 
RDX: 0x0 
RSI: 0x7fffffffcdac --> 0x1 
RDI: 0x55555577f178 --> 0x2d004100080b0000 
RBP: 0x7fffffffd660 --> 0x7fffffffd750 --> 0x7fffffffd7a0 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcd80 --> 0x3e7000 ('')
RIP: 0x5555555604f3 (<wasm_interp_call_func_bytecode+4276>:	mov    eax,DWORD PTR [rax+0x4])
R8 : 0x1 
R9 : 0x7fffffffd910 --> 0x7ffff7ffa268 (add    BYTE PTR ss:[rax],al)
R10: 0x0 
R11: 0x246 
R12: 0x55555577f17a --> 0x2d004100080b 
R13: 0x555555793360 --> 0x0 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555604e3 <wasm_interp_call_func_bytecode+4260>:	cmp    DWORD PTR [rbp-0x50c],0x0
   0x5555555604ea <wasm_interp_call_func_bytecode+4267>:	js     0x5555555604fe <wasm_interp_call_func_bytecode+4287>
   0x5555555604ec <wasm_interp_call_func_bytecode+4269>:	mov    rax,QWORD PTR [rbp-0x498]
=> 0x5555555604f3 <wasm_interp_call_func_bytecode+4276>:	mov    eax,DWORD PTR [rax+0x4]
   0x5555555604f6 <wasm_interp_call_func_bytecode+4279>:	cmp    DWORD PTR [rbp-0x50c],eax
   0x5555555604fc <wasm_interp_call_func_bytecode+4285>:	jl     0x555555560519 <wasm_interp_call_func_bytecode+4314>
   0x5555555604fe <wasm_interp_call_func_bytecode+4287>:	mov    rax,QWORD PTR [rbp-0x4a0]
   0x555555560505 <wasm_interp_call_func_bytecode+4294>:	lea    rsi,[rip+0x1883d]        # 0x555555578d49
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd80 --> 0x3e7000 ('')
0008| 0x7fffffffcd88 --> 0x555555793294 --> 0x555555793240 --> 0x0 
0016| 0x7fffffffcd90 --> 0x555555780da0 --> 0x0 
0024| 0x7fffffffcd98 --> 0x555555781180 --> 0x0 
0032| 0x7fffffffcda0 --> 0xc500001e7000 
0040| 0x7fffffffcda8 --> 0x100002803 
0048| 0x7fffffffcdb0 --> 0x0 
0056| 0x7fffffffcdb8 --> 0x9040000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555604f3 in wasm_interp_call_func_bytecode (self=0x555555781180 <global_heap_buf+8928>, cur_func=0x555555780da0 <global_heap_buf+7936>, prev_frame=0x555555793294 <global_heap_buf+82932>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:906
906	          if (val < 0 || val >= (int32)table->cur_size) {
#0  0x00005555555604f3 in wasm_interp_call_func_bytecode (self=0x555555781180 <global_heap_buf+8928>, cur_func=0x555555780da0 <global_heap_buf+7936>, prev_frame=0x555555793294 <global_heap_buf+82932>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:906
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780dd0 <global_heap_buf+7984>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555781080 <global_heap_buf+8672>, exec_env=0x0, function=0x555555780dd0 <global_heap_buf+7984>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x000055555555a9d5 in execute_start_function (module_inst=0x555555781080 <global_heap_buf+8672>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:721
#4  0x000055555555b596 in wasm_runtime_instantiate (module=0x55555577f1a0 <global_heap_buf+768>, stack_size=0x4000, heap_size=0x2000, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:958
#5  0x000055555555807b in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:203
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==32277== Memcheck, a memory error detector
==32277== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==32277== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==32277== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555560584/PoC.wasm
==32277== 
==32277== Invalid read of size 4
==32277==    at 0x1144F3: wasm_interp_call_func_bytecode (wasm_interp.c:906)
==32277==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==32277==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==32277==    by 0x10E9D4: execute_start_function (wasm_runtime.c:721)
==32277==    by 0x10F595: wasm_runtime_instantiate (wasm_runtime.c:958)
==32277==    by 0x10C07A: main (main.c:203)
==32277==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==32277== 
==32277== 
==32277== Process terminating with default action of signal 11 (SIGSEGV)
==32277==  Access not within mapped region at address 0x4
==32277==    at 0x1144F3: wasm_interp_call_func_bytecode (wasm_interp.c:906)
==32277==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==32277==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==32277==    by 0x10E9D4: execute_start_function (wasm_runtime.c:721)
==32277==    by 0x10F595: wasm_runtime_instantiate (wasm_runtime.c:958)
==32277==    by 0x10C07A: main (main.c:203)
==32277==  If you believe this happened as a result of a stack
==32277==  overflow in your program's main thread (unlikely but
==32277==  possible), you can try to increase the size of the
==32277==  main thread stack using the --main-stacksize= flag.
==32277==  The main thread stack size used in this run was 8388608.
==32277== 
==32277== HEAP SUMMARY:
==32277==     in use at exit: 0 bytes in 0 blocks
==32277==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==32277== 
==32277== All heap blocks were freed -- no leaks are possible
==32277== 
==32277== For counts of detected and suppressed errors, rerun with: -v
==32277== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    32277 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_I32_LOAD: wasm_interp_call_func_bytecode (wasm_interp.c:1128)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1128)
case: WASM_OP_I32_LOAD

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Heap out of bounds write in load_function_section (wasm_loader.c:701)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds write in load_function_section (wasm_loader.c:701)

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    27515 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555555780e90 --> 0x555555780ed8 --> 0x555555780e70 --> 0x100000004 
RCX: 0x555555780f08 --> 0x0 
RDX: 0x5555557ff000 
RSI: 0x55555577f1ac --> 0x2a00018b8 
RDI: 0x55555577f1a1 --> 0x20a00220a0012000 
RBP: 0x7fffffffd750 --> 0x7fffffffd7d0 --> 0x7fffffffd830 --> 0x7fffffffd870 --> 0x7fffffffd8a0 --> 0x7fffffffd990 (--> ...)
RSP: 0x7fffffffd690 --> 0x7fffffffd900 --> 0x7ffff7ffa268 (add    BYTE PTR ss:[rax],al)
RIP: 0x55555556b346 (<load_function_section+1663>:	mov    BYTE PTR [rdx],al)
R8 : 0x0 
R9 : 0x7fffffffd700 --> 0x0 
R10: 0x0 
R11: 0x246 
R12: 0x555555557960 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffda70 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555556b339 <load_function_section+1650>:	mov    eax,eax
   0x55555556b33b <load_function_section+1652>:	lea    rdx,[rcx+rax*1]
   0x55555556b33f <load_function_section+1656>:	movzx  eax,BYTE PTR [rbp-0x85]
=> 0x55555556b346 <load_function_section+1663>:	mov    BYTE PTR [rdx],al
   0x55555556b348 <load_function_section+1665>:	add    DWORD PTR [rbp-0x78],0x1
   0x55555556b34c <load_function_section+1669>:	mov    eax,DWORD PTR [rbp-0x78]
   0x55555556b34f <load_function_section+1672>:	cmp    eax,DWORD PTR [rbp-0x54]
   0x55555556b352 <load_function_section+1675>:	jb     0x55555556b328 <load_function_section+1633>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd690 --> 0x7fffffffd900 --> 0x7ffff7ffa268 (add    BYTE PTR ss:[rax],al)
0008| 0x7fffffffd698 --> 0x55555577f1b0 --> 0x2 
0016| 0x7fffffffd6a0 --> 0x55555577f1ac --> 0x2a00018b8 
0024| 0x7fffffffd6a8 --> 0x55555577f18f --> 0x9201200020000902 
0032| 0x7fffffffd6b0 --> 0x55555577f158 --> 0x2e32336616023307 
0040| 0x7fffffffd6b8 --> 0x55555577f155 --> 0x6616023307010002 
0048| 0x7fffffffd6c0 --> 0x7fffffffd760 --> 0x80 
0056| 0x7fffffffd6c8 --> 0x100569320 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556b346 in load_function_section (buf=0x55555577f155 <global_heap_buf+693> "\002", buf_end=0x55555577f158 <global_heap_buf+696> "\a3\002\026f32.no_reassociate_add", buf_code=0x55555577f18f <global_heap_buf+751> "\002\t", buf_code_end=0x55555577f1ac <global_heap_buf+780> "\270\030", module=0x55555577f1b0 <global_heap_buf+784>, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:701
701	                    func->local_types[local_type_index++] = type;
#0  0x000055555556b346 in load_function_section (buf=0x55555577f155 <global_heap_buf+693> "\002", buf_end=0x55555577f158 <global_heap_buf+696> "\a3\002\026f32.no_reassociate_add", buf_code=0x55555577f18f <global_heap_buf+751> "\002\t", buf_code_end=0x55555577f1ac <global_heap_buf+780> "\270\030", module=0x55555577f1b0 <global_heap_buf+784>, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:701
#1  0x000055555556c96a in load_from_sections (module=0x55555577f1b0 <global_heap_buf+784>, sections=0x555555780da0 <global_heap_buf+7936>, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1143
#2  0x000055555556d00a in load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x74, module=0x55555577f1b0 <global_heap_buf+784>, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1388
#3  0x000055555556d124 in wasm_loader_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x74, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_loader.c:1429
#4  0x00005555555594f5 in wasm_runtime_load (buf=0x55555577f138 <global_heap_buf+664> "", size=0x74, error_buf=0x7fffffffd900 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:137
#5  0x000055555555802d in main (argc=0x1, argv=0x7fffffffda80) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:196
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda68) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==27508== Memcheck, a memory error detector
==27508== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==27508== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==27508== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556b3d7/PoC.wasm
==27508== 
==27508== Invalid write of size 1
==27508==    at 0x11F346: load_function_section (wasm_loader.c:701)
==27508==    by 0x120969: load_from_sections (wasm_loader.c:1143)
==27508==    by 0x121009: load (wasm_loader.c:1388)
==27508==    by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==27508==    by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==27508==    by 0x10C02C: main (main.c:196)
==27508==  Address 0x3b3000 is not stack'd, malloc'd or (recently) free'd
==27508== 
==27508== 
==27508== Process terminating with default action of signal 11 (SIGSEGV)
==27508==  Access not within mapped region at address 0x3B3000
==27508==    at 0x11F346: load_function_section (wasm_loader.c:701)
==27508==    by 0x120969: load_from_sections (wasm_loader.c:1143)
==27508==    by 0x121009: load (wasm_loader.c:1388)
==27508==    by 0x121123: wasm_loader_load (wasm_loader.c:1429)
==27508==    by 0x10D4F4: wasm_runtime_load (wasm_runtime.c:137)
==27508==    by 0x10C02C: main (main.c:196)
==27508==  If you believe this happened as a result of a stack
==27508==  overflow in your program's main thread (unlikely but
==27508==  possible), you can try to increase the size of the
==27508==  main thread stack using the --main-stacksize= flag.
==27508==  The main thread stack size used in this run was 8388608.
==27508== 
==27508== HEAP SUMMARY:
==27508==     in use at exit: 0 bytes in 0 blocks
==27508==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==27508== 
==27508== All heap blocks were freed -- no leaks are possible
==27508== 
==27508== For counts of detected and suppressed errors, rerun with: -v
==27508== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    27508 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_I32_LOAD8_S: wasm_interp_call_func_bytecode (wasm_interp.c:1144)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1144)
case: WASM_OP_I32_LOAD8_S

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash


[CE249740]: WASM loader find block addr failed: invalid opcode c1.
[1]    30370 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[F7FCC740]: WASM loader find block addr failed: invalid opcode c1.

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555555781104 --> 0x7f0300000002 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x30b95623 
RIP: 0x555555561d51 (<wasm_interp_call_func_bytecode+10514>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x3 
R9 : 0x7fffffffd1d0 --> 0x55555577f17d --> 0x6e0417000b00200b 
R10: 0x2 
R11: 0x246 
R12: 0x55555577f165 --> 0xd8bc85e44100c1 
R13: 0x5555557810fc --> 0x100000000 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555561d3f <wasm_interp_call_func_bytecode+10496>:	jbe    0x555555561dcd <wasm_interp_call_func_bytecode+10638>
   0x555555561d45 <wasm_interp_call_func_bytecode+10502>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555561d4a <wasm_interp_call_func_bytecode+10507>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x555555561d51 <wasm_interp_call_func_bytecode+10514>:	mov    rdx,QWORD PTR [rax+0x18]
   0x555555561d55 <wasm_interp_call_func_bytecode+10518>:	mov    ecx,DWORD PTR [rbp-0x5a4]
   0x555555561d5b <wasm_interp_call_func_bytecode+10524>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555561d62 <wasm_interp_call_func_bytecode+10531>:	mov    eax,DWORD PTR [rax+0x30]
   0x555555561d65 <wasm_interp_call_func_bytecode+10534>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x30b95623 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0xc55555577503 
0040| 0x7fffffffce08 --> 0x1407f2c68 
0048| 0x7fffffffce10 --> 0x7ffff780e760 --> 0x0 
0056| 0x7fffffffce18 --> 0xd000000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555561d51 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1144
1144	        DEF_OP_LOAD(PUSH_I32(sign_ext_8_32(*(int8*)maddr)));
#0  0x0000555555561d51 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1144
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==30353== Memcheck, a memory error detector
==30353== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30353== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==30353== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x555555561de2/PoC.wasm
==30353== 
[404FB80]: WASM loader find block addr failed: invalid opcode c1.
==30353== Invalid read of size 8
==30353==    at 0x115D51: wasm_interp_call_func_bytecode (wasm_interp.c:1144)
==30353==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==30353==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==30353==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==30353==    by 0x10BAD7: app_instance_main (main.c:54)
==30353==    by 0x10C0EA: main (main.c:217)
==30353==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==30353== 
==30353== 
==30353== Process terminating with default action of signal 11 (SIGSEGV)
==30353==  Access not within mapped region at address 0x18
==30353==    at 0x115D51: wasm_interp_call_func_bytecode (wasm_interp.c:1144)
==30353==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==30353==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==30353==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==30353==    by 0x10BAD7: app_instance_main (main.c:54)
==30353==    by 0x10C0EA: main (main.c:217)
==30353==  If you believe this happened as a result of a stack
==30353==  overflow in your program's main thread (unlikely but
==30353==  possible), you can try to increase the size of the
==30353==  main thread stack using the --main-stacksize= flag.
==30353==  The main thread stack size used in this run was 8388608.
==30353== 
==30353== HEAP SUMMARY:
==30353==     in use at exit: 0 bytes in 0 blocks
==30353==   total heap usage: 1 allocs, 1 frees, 1,024 bytes allocated
==30353== 
==30353== All heap blocks were freed -- no leaks are possible
==30353== 
==30353== For counts of detected and suppressed errors, rerun with: -v
==30353== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    30353 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_I32_STORE8: wasm_interp_call_func_bytecode (wasm_interp.c:1222)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1222)
case: WASM_OP_I32_STORE8

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Null pointer dereference - WASM_OP_BR_TABLE: wasm_interp_call_func_bytecode (wasm_interp.c:876)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Null pointer dereference in wasm_interp_call_func_bytecode (wasm_interp.c:876)
case: WASM_OP_BR_TABLE

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash


[1]    32279 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x5555557fee9c --> 0x100000000 
RDX: 0x61 ('a')
RSI: 0x0 
RDI: 0x55555577eeb8 --> 0x0 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x55555556031f (<wasm_interp_call_func_bytecode+3808>:	movzx  eax,BYTE PTR [rax])
R8 : 0x0 
R9 : 0x7fffffffd1d0 --> 0x55555577f177 --> 0x430bc0c0c000210b 
R10: 0x0 
R11: 0x246 
R12: 0x1 
R13: 0x5555557810fc --> 0x17000b0000000042 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555560317 <wasm_interp_call_func_bytecode+3800>:	nop
   0x555555560318 <wasm_interp_call_func_bytecode+3801>:	mov    rax,r12
   0x55555556031b <wasm_interp_call_func_bytecode+3804>:	lea    r12,[rax+0x1]
=> 0x55555556031f <wasm_interp_call_func_bytecode+3808>:	movzx  eax,BYTE PTR [rax]
   0x555555560322 <wasm_interp_call_func_bytecode+3811>:	movzx  eax,al
   0x555555560325 <wasm_interp_call_func_bytecode+3814>:	cdqe   
   0x555555560327 <wasm_interp_call_func_bytecode+3816>:	lea    rdx,[rax*8+0x0]
   0x55555556032f <wasm_interp_call_func_bytecode+3824>:	lea    rax,[rip+0x21e32a]        # 0x55555577e660 <handle_table.5444>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0x7f00c50000019000 
0040| 0x7fffffffce08 --> 0x17f7f0001 
0048| 0x7fffffffce10 --> 0x610000006d ('m')
0056| 0x7fffffffce18 --> 0x11c00000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555556031f in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:876
876	        HANDLE_OP_END ();
#0  0x000055555556031f in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:876
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==32262== Memcheck, a memory error detector
==32262== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==32262== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==32262== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x5555555603b0/PoC.wasm
==32262== 
==32262== Invalid read of size 1
==32262==    at 0x11431F: wasm_interp_call_func_bytecode (wasm_interp.c:876)
==32262==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==32262==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==32262==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==32262==    by 0x10BAD7: app_instance_main (main.c:54)
==32262==    by 0x10C0EA: main (main.c:217)
==32262==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==32262== 
==32262== 
==32262== Process terminating with default action of signal 11 (SIGSEGV)
==32262==  Access not within mapped region at address 0x0
==32262==    at 0x11431F: wasm_interp_call_func_bytecode (wasm_interp.c:876)
==32262==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==32262==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==32262==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==32262==    by 0x10BAD7: app_instance_main (main.c:54)
==32262==    by 0x10C0EA: main (main.c:217)
==32262==  If you believe this happened as a result of a stack
==32262==  overflow in your program's main thread (unlikely but
==32262==  possible), you can try to increase the size of the
==32262==  main thread stack using the --main-stacksize= flag.
==32262==  The main thread stack size used in this run was 8388608.
==32262== 
==32262== HEAP SUMMARY:
==32262==     in use at exit: 0 bytes in 0 blocks
==32262==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==32262== 
==32262== All heap blocks were freed -- no leaks are possible
==32262== 
==32262== For counts of detected and suppressed errors, rerun with: -v
==32262== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    32262 segmentation fault  valgrind ./iwasm

Heap out of bounds read - WASM_OP_GET_GLOBAL: wasm_interp_call_func_bytecode (wasm_interp.c:1185)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1185)
case: WASM_OP_GET_GLOBAL/VALUE_TYPE_F64

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    425 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557810fc --> 0x17000b0000000042 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd6c0 --> 0x7fffffffd7b0 --> 0x7fffffffd800 --> 0x7fffffffd880 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcde0 --> 0x219000 
RIP: 0x555555563350 (<wasm_interp_call_func_bytecode+16145>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x6e ('n')
R9 : 0x7fffffffd1d0 --> 0x55555577f177 --> 0x430bc0c0c000210b 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f186 --> 0x6d0400010701656d 
R13: 0x5555557810fc --> 0x17000b0000000042 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555556333e <wasm_interp_call_func_bytecode+16127>:	jbe    0x5555555633cc <wasm_interp_call_func_bytecode+16269>
   0x555555563344 <wasm_interp_call_func_bytecode+16133>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555563349 <wasm_interp_call_func_bytecode+16138>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x555555563350 <wasm_interp_call_func_bytecode+16145>:	mov    rdx,QWORD PTR [rax+0x18]
   0x555555563354 <wasm_interp_call_func_bytecode+16149>:	mov    ecx,DWORD PTR [rbp-0x644]
   0x55555556335a <wasm_interp_call_func_bytecode+16155>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555563361 <wasm_interp_call_func_bytecode+16162>:	mov    eax,DWORD PTR [rax+0x30]
   0x555555563364 <wasm_interp_call_func_bytecode+16165>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcde0 --> 0x219000 
0008| 0x7fffffffcde8 --> 0x555555781060 --> 0x0 
0016| 0x7fffffffcdf0 --> 0x555555780d90 --> 0x1000100000000 
0024| 0x7fffffffcdf8 --> 0x555555781008 --> 0x0 
0032| 0x7fffffffce00 --> 0x7f00c50000019000 
0040| 0x7fffffffce08 --> 0x17f7f3601 
0048| 0x7fffffffce10 --> 0x7fff00000004 
0056| 0x7fffffffce18 --> 0x11c00000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555563350 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1185
1185	        DEF_OP_STORE(uint32, I32, *(int32*)maddr = sval);
#0  0x0000555555563350 in wasm_interp_call_func_bytecode (self=0x555555781008 <global_heap_buf+8552>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781060 <global_heap_buf+8640>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1185
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780f08 <global_heap_buf+8296>, exec_env=0x0, function=0x555555780d90 <global_heap_buf+7920>, argc=0x0, argv=0x7fffffffd870) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x0000555555558842 in wasm_application_execute_main (module_inst=0x555555780f08 <global_heap_buf+8296>, argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_application.c:109
#4  0x0000555555557ad8 in app_instance_main (module_inst=0x555555780f08 <global_heap_buf+8296>) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:54
#5  0x00005555555580eb in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:217
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==411== Memcheck, a memory error detector
==411== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==411== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==411== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x5555555633e1/PoC.wasm
==411== 
==411== Invalid read of size 8
==411==    at 0x117350: wasm_interp_call_func_bytecode (wasm_interp.c:1185)
==411==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==411==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==411==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==411==    by 0x10BAD7: app_instance_main (main.c:54)
==411==    by 0x10C0EA: main (main.c:217)
==411==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==411== 
==411== 
==411== Process terminating with default action of signal 11 (SIGSEGV)
==411==  Access not within mapped region at address 0x18
==411==    at 0x117350: wasm_interp_call_func_bytecode (wasm_interp.c:1185)
==411==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==411==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==411==    by 0x10C841: wasm_application_execute_main (wasm_application.c:109)
==411==    by 0x10BAD7: app_instance_main (main.c:54)
==411==    by 0x10C0EA: main (main.c:217)
==411==  If you believe this happened as a result of a stack
==411==  overflow in your program's main thread (unlikely but
==411==  possible), you can try to increase the size of the
==411==  main thread stack using the --main-stacksize= flag.
==411==  The main thread stack size used in this run was 8388608.
==411== 
==411== HEAP SUMMARY:
==411==     in use at exit: 0 bytes in 0 blocks
==411==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==411== 
==411== All heap blocks were freed -- no leaks are possible
==411== 
==411== For counts of detected and suppressed errors, rerun with: -v
==411== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    411 segmentation fault  valgrind ./iwasm

JIT compilation ?

I read "WASM interpreter (AOT is planned)": will it be with a JIT? For intel CPU? ARM CPU ? What kind of performances compared to native code can be expected ?

Heap out of bounds read - WASM_OP_I32_LOAD8_U: wasm_interp_call_func_bytecode (wasm_interp.c:1148)

Environment

Questions	Answers
Related Binary	./iwasm (linux build)
Commit	commit `9a02c49`

Vulnerability/issue

Heap out of bounds read in wasm_interp_call_func_bytecode (wasm_interp.c:1148)
case: WASM_OP_I32_LOAD8_U

Steps to reproduce the behavior

Download:
PoC.zip
Run:
./iwasm PoC.wasm

Additional Informations

Crash

[1]    15091 segmentation fault  ./iwasm

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555555781264 --> 0x0 
RCX: 0x555555578ea0 ("unaligned load/store in wasm interp, flag is: %d.\n")
RDX: 0x0 
RSI: 0x0 
RDI: 0x2 
RBP: 0x7fffffffd660 --> 0x7fffffffd750 --> 0x7fffffffd7a0 --> 0x7fffffffd7d0 --> 0x7fffffffd8b0 --> 0x7fffffffd9a0 (--> ...)
RSP: 0x7fffffffcd80 --> 0x3e7000 ('')
RIP: 0x555555561f7b (<wasm_interp_call_func_bytecode+11068>:	mov    rdx,QWORD PTR [rax+0x18])
R8 : 0x0 
R9 : 0x7fffffffd684 --> 0x55780dc000000000 
R10: 0x0 
R11: 0x246 
R12: 0x55555577f174 --> 0x80b00003a6a0141 
R13: 0x555555781260 --> 0x0 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555561f69 <wasm_interp_call_func_bytecode+11050>:	jbe    0x555555561ff7 <wasm_interp_call_func_bytecode+11192>
   0x555555561f6f <wasm_interp_call_func_bytecode+11056>:	jmp    0x555555568495 <wasm_interp_call_func_bytecode+36950>
   0x555555561f74 <wasm_interp_call_func_bytecode+11061>:	mov    rax,QWORD PTR [rbp-0x4e8]
=> 0x555555561f7b <wasm_interp_call_func_bytecode+11068>:	mov    rdx,QWORD PTR [rax+0x18]
   0x555555561f7f <wasm_interp_call_func_bytecode+11072>:	mov    ecx,DWORD PTR [rbp-0x5b4]
   0x555555561f85 <wasm_interp_call_func_bytecode+11078>:	mov    rax,QWORD PTR [rbp-0x4e8]
   0x555555561f8c <wasm_interp_call_func_bytecode+11085>:	mov    eax,DWORD PTR [rax+0x30]
   0x555555561f8f <wasm_interp_call_func_bytecode+11088>:	cdqe
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd80 --> 0x3e7000 ('')
0008| 0x7fffffffcd88 --> 0x555555781194 --> 0x555555781140 --> 0x0 
0016| 0x7fffffffcd90 --> 0x555555780d90 --> 0x0 
0024| 0x7fffffffcd98 --> 0x5555557810e8 --> 0x0 
0032| 0x7fffffffcda0 --> 0xc500001e7000 
0040| 0x7fffffffcda8 --> 0x100002d03 
0048| 0x7fffffffcdb0 --> 0x0 
0056| 0x7fffffffcdb8 --> 0x9400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555561f7b in wasm_interp_call_func_bytecode (self=0x5555557810e8 <global_heap_buf+8776>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781194 <global_heap_buf+8948>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1148
1148	        DEF_OP_LOAD(PUSH_I32((uint32)(*(uint8*)maddr)));
#0  0x0000555555561f7b in wasm_interp_call_func_bytecode (self=0x5555557810e8 <global_heap_buf+8776>, cur_func=0x555555780d90 <global_heap_buf+7920>, prev_frame=0x555555781194 <global_heap_buf+8948>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:1148
#1  0x00005555555686fd in wasm_interp_call_wasm (function=0x555555780dc0 <global_heap_buf+7968>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_interp.c:2158
#2  0x0000555555559447 in wasm_runtime_call_wasm (module_inst=0x555555780fe8 <global_heap_buf+8520>, exec_env=0x0, function=0x555555780dc0 <global_heap_buf+7968>, argc=0x0, argv=0x0) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:102
#3  0x000055555555a9d5 in execute_start_function (module_inst=0x555555780fe8 <global_heap_buf+8520>) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:721
#4  0x000055555555b596 in wasm_runtime_instantiate (module=0x55555577f1a0 <global_heap_buf+768>, stack_size=0x4000, heap_size=0x2000, error_buf=0x7fffffffd910 "h\242\377\367\377\177", error_buf_size=0x80) at XYZ/wasm-micro-runtime/core/iwasm/runtime/vmcore-wasm/wasm_runtime.c:958
#5  0x000055555555807b in main (argc=0x1, argv=0x7fffffffda90) at XYZ/wasm-micro-runtime/core/iwasm/products/linux/main.c:203
#6  0x00007ffff7448b97 in __libc_start_main (main=0x555555557d8c <main>, argc=0x2, argv=0x7fffffffda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffda78) at ../csu/libc-start.c:310
#7  0x000055555555798a in _start ()

Valgrind

==15088== Memcheck, a memory error detector
==15088== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==15088== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==15088== Command: ./iwasm XYZ/wasm-micro-runtime/core/iwasm/products/linux/debug/triage/0x55555556200c/PoC.wasm
==15088== 
==15088== Invalid read of size 8
==15088==    at 0x115F7B: wasm_interp_call_func_bytecode (wasm_interp.c:1148)
==15088==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==15088==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==15088==    by 0x10E9D4: execute_start_function (wasm_runtime.c:721)
==15088==    by 0x10F595: wasm_runtime_instantiate (wasm_runtime.c:958)
==15088==    by 0x10C07A: main (main.c:203)
==15088==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==15088== 
==15088== 
==15088== Process terminating with default action of signal 11 (SIGSEGV)
==15088==  Access not within mapped region at address 0x18
==15088==    at 0x115F7B: wasm_interp_call_func_bytecode (wasm_interp.c:1148)
==15088==    by 0x11C6FC: wasm_interp_call_wasm (wasm_interp.c:2158)
==15088==    by 0x10D446: wasm_runtime_call_wasm (wasm_runtime.c:102)
==15088==    by 0x10E9D4: execute_start_function (wasm_runtime.c:721)
==15088==    by 0x10F595: wasm_runtime_instantiate (wasm_runtime.c:958)
==15088==    by 0x10C07A: main (main.c:203)
==15088==  If you believe this happened as a result of a stack
==15088==  overflow in your program's main thread (unlikely but
==15088==  possible), you can try to increase the size of the
==15088==  main thread stack using the --main-stacksize= flag.
==15088==  The main thread stack size used in this run was 8388608.
==15088== 
==15088== HEAP SUMMARY:
==15088==     in use at exit: 0 bytes in 0 blocks
==15088==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==15088== 
==15088== All heap blocks were freed -- no leaks are possible
==15088== 
==15088== For counts of detected and suppressed errors, rerun with: -v
==15088== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    15088 segmentation fault  valgrind ./iwasm