Null pointer Deference in WasmBinaryBuilder::getFunctionIndexName(unsigned int) in wasm/wasm-binary.cpp

[wcventure]

Hi, there.

A Null pointer Deference problem was discovered in WasmBinaryBuilder::getFunctionIndexName(unsigned int) in wasm/wasm-binary.cpp. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "wasm-opt $POC" to reproduce the problem.
POC.zip

git log

commit 0e5e55053c171b138a0cf5aa8a08de8c7714048f
Author: Alon Zakai <alonzakai@gmail.com>
Date:   Sat Jan 19 05:30:43 2019 -0800

    Show a proper error on an invalid type in binary reading ; fixes #1872 (#1874)

The ASAN dumps the stack trace as follows:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==14886==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000009ace8e bp 0x7ffccfd53b70 sp 0x7ffccfd539a0 T0)
==14886==The signal is caused by a READ memory access.
==14886==Hint: address points to the zero page.
    #0 0x9ace8d in wasm::WasmBinaryBuilder::getFunctionIndexName(unsigned int) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:970:10
    #1 0x9ace8d in wasm::WasmBinaryBuilder::processFunctions() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:1508
    #2 0x980f41 in wasm::WasmBinaryBuilder::read() /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:706:3
    #3 0xa81ed9 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:52:10
    #4 0xa84b1c in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-io.cpp:71:5
    #5 0x627919 in main /home/wencheng/Documents/FuzzingObject/binaryen/src/tools/wasm-opt.cpp:144:14
    #6 0x7fac33df582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x51c5b8 in _start (/home/wencheng/Documents/FuzzingObject/binaryen/build/bin/wasm-opt+0x51c5b8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/wencheng/Documents/FuzzingObject/binaryen/src/wasm/wasm-binary.cpp:970:10 in wasm::WasmBinaryBuilder::getFunctionIndexName(unsigned int)
==14886==ABORTING

[wcventure]

Can be broken again.
POC.zip

git log

commit e63c4a7d04c145dafaf4b09de5f9f5de69cee8ef (HEAD -> master, origin/master, origin/HEAD)
Author: Alon Zakai <alonzakai@gmail.com>
Date:   Tue Jan 22 17:15:37 2019 -0800

    More misc ASAN fixes (#1882)

    * fix buffer overflow in simple_ast.h printing.
    * check wasm binary format reading of function export indexes for errors.
    * check if s-expr format imports have a non-empty module and base.

    Fixes #1876
    Fixes #1877
    Fixes #1879

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4544==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000a81aa3 bp 0x7ffed8a90870 sp 0x7ffed8a90000 T0)
==4544==The signal is caused by a READ memory access.
==4544==Hint: address points to the zero page.
    #0 0xa81aa2 in AddressIsPoisoned /home/hjwang/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_mapping.h:343
    #1 0xa81aa2 in QuickCheckForUnpoisonedRegion /home/hjwang/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.h:32
    #2 0xa81aa2 in __asan_memcpy /home/hjwang/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23
    #3 0xe09f05 in wasm::WasmBinaryBuilder::getFunctionIndexName(unsigned int) /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-binary.cpp:970:10
    #4 0xdfed24 in wasm::WasmBinaryBuilder::processFunctions() /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-binary.cpp:1534:45
    #5 0xdea7a4 in wasm::WasmBinaryBuilder::read() /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-binary.cpp:706:3
    #6 0xf39472 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-io.cpp:52:10
    #7 0xf3a2f0 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/hjwang/Documents/Experiment/binaryen/src/wasm/wasm-io.cpp:71:5
    #8 0xac966c in main /home/hjwang/Documents/Experiment/binaryen/src/tools/wasm-opt.cpp:144:14
    #9 0x7f7b87f69b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x9c2fe9 in _start (/home/hjwang/Documents/Experiment/binaryen/build/bin/wasm-opt+0x9c2fe9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hjwang/Documents/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_mapping.h:343 in AddressIsPoisoned

[kripken]

I think those are fixed with #1887