Closed Bug 1908632 Opened 1 year ago Closed 1 year ago

AddressSanitizer: heap-buffer-overflow [@ kind] with READ of size 4 through [@ js::wasm::BaseCompiler::emitTableFill]

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1908631
Tracking Flags:
Tracking Status
firefox130 --- affected

People

(Reporter: decoder, Assigned: bvisness)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(2 files)

Detailed Crash Information
8.19 KB, text/plain
Details
Testcase
51 bytes, application/octet-stream
Details

The attached testcase crashes on mozilla-central revision 20240718-c9dd3166c811 (build with fuzzing, asan and --enable-tests, run FUZZER=Wasm fuzz-tests test.wasm).

Backtrace:

    ==235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5210003a20e8 at pc 0x618dbaa82d41 bp 0x7ffea8408920 sp 0x7ffea8408918
    READ of size 4 at 0x5210003a20e8 thread T0
    SCARINESS: 27 (4-byte-read-heap-buffer-overflow-far-from-bounds)
        #0 0x618dbaa82d40 in kind /js/src/wasm/WasmBCStk.h:169:30
        #1 0x618dbaa82d40 in js::wasm::BaseCompiler::popI32() /js/src/wasm/WasmBCStkMgmt-inl.h:744:9
        #2 0x618dbaaf93c4 in popTableIndexToClampedInt32 /js/src/wasm/WasmBCStkMgmt-inl.h:1221:12
        #3 0x618dbaaf93c4 in js::wasm::BaseCompiler::emitTableFill() /js/src/wasm/WasmBaselineCompile.cpp:6653:16
        #4 0x618dbab2ed3a in js::wasm::BaseCompiler::emitBody() /js/src/wasm/WasmBaselineCompile.cpp:11456:13
        #5 0x618dbab5d058 in emitFunction /js/src/wasm/WasmBaselineCompile.cpp:11853:8
        #6 0x618dbab5d058 in js::wasm::BaselineCompileFunctions(js::wasm::CodeMetadata const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmBaselineCompile.cpp:12029:12
        #7 0x618dbac8284d in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmGenerator.cpp:503:12
        #8 0x618dbac84d9b in locallyCompileCurrentTask /js/src/wasm/WasmGenerator.cpp:586:8
        #9 0x618dbac84d9b in js::wasm::ModuleGenerator::finishFuncDefs() /js/src/wasm/WasmGenerator.cpp:723:24
        #10 0x618dbac3a2de in bool DecodeCodeSection<js::wasm::Decoder, js::wasm::ModuleGenerator>(js::wasm::CodeMetadata const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) /js/src/wasm/WasmCompile.cpp
        #11 0x618dbac3969b in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) /js/src/wasm/WasmCompile.cpp:848:8
        #12 0x618db8a9ada2 in testWasmFuzz(unsigned char const*, unsigned long) /js/src/fuzz-tests/testWasm.cpp:283:9
        #13 0x618db8c8915b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
        #14 0x618db8c88be1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:479:7
        #15 0x618db8c8a017 in fuzzer::Fuzzer::MutateAndTestOne() /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:717:19
        #16 0x618db8c8aa25 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:861:9
        #17 0x618db8c7c04b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tools/fuzzing/libfuzzer/FuzzerDriver.cpp:864:14
        #18 0x618db8a9ea16 in main /js/src/fuzz-tests/tests.cpp:116:3
        #19 0x7a7775885082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
        #20 0x618db89bf978 in _start (/home/worker/js/dist/bin/fuzz-tests+0x2763978) (BuildId: 2d5668241c59495773b02908e8d6035dda152b71)
    
    DEDUP_TOKEN: kind
    0x5210003a20e8 is located 24 bytes before 4080-byte region [0x5210003a2100,0x5210003a30f0)
    allocated by thread T0 here:
        #0 0x618db8a5849f in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
        #1 0x618dbabf71f0 in js_arena_malloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:370:10
        #2 0x618dbabf71f0 in js_pod_arena_malloc<js::wasm::Stk> /builds/worker/workspace/obj-build/dist/include/js/Utility.h:586:26
        #3 0x618dbabf71f0 in maybe_pod_arena_malloc<js::wasm::Stk> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:33:12
        #4 0x618dbabf71f0 in pod_arena_malloc<js::wasm::Stk> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:46:12
        #5 0x618dbabf71f0 in pod_malloc<js::wasm::Stk> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:72:12
        #6 0x618dbabf71f0 in mozilla::Vector<js::wasm::Stk, 0ul, js::SystemAllocPolicy>::convertToHeapStorage(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1027:30
        #7 0x618dbab5c50f in reserve /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1118:9
        #8 0x618dbab5c50f in js::wasm::BaselineCompileFunctions(js::wasm::CodeMetadata const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmBaselineCompile.cpp:12005:12
        #9 0x618dbac8284d in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmGenerator.cpp:503:12
        #10 0x618dbac84d9b in locallyCompileCurrentTask /js/src/wasm/WasmGenerator.cpp:586:8
        #11 0x618dbac84d9b in js::wasm::ModuleGenerator::finishFuncDefs() /js/src/wasm/WasmGenerator.cpp:723:24
        #12 0x618dbac3a2de in bool DecodeCodeSection<js::wasm::Decoder, js::wasm::ModuleGenerator>(js::wasm::CodeMetadata const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) /js/src/wasm/WasmCompile.cpp
        #13 0x618dbac3969b in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) /js/src/wasm/WasmCompile.cpp:848:8
        #14 0x618db8a9ada2 in testWasmFuzz(unsigned char const*, unsigned long) /js/src/fuzz-tests/testWasm.cpp:283:9
        [...]
    
    DEDUP_TOKEN: __interceptor_malloc
    SUMMARY: AddressSanitizer: heap-buffer-overflow /js/src/wasm/WasmBCStk.h:169:30 in kind
    Shadow bytes around the buggy address:
      0x5210003a2000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x5210003a2080: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
      0x5210003a2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Heap left redzone:       fa

This is on the raw libFuzzer Wasm target that's part of fuzz tests, but since I am seeing a series of failures, it might be related to bug 1908631. Filing to make sure we don't miss anything.

Attached file Testcase

Ben this looks related to your patches.

Assignee: nobody → bvisness
Severity: -- → S3
Priority: -- → P1
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1908631
Resolution: --- → DUPLICATE
Group: javascript-core-security

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: