Heap overflow found in wasm::Asm2WasmPreProcessor::process(char*)

[r1ce-m]

I found two crashes by running fuzzing on:
./asm2wasm $FILE
which show same behaviors as heap buffer over flow, but with different details.
Both are with binaryen-0c58de1 version.

Crash 1 file: https://github.com/natalie13m/crashes/blob/master/binaryen-0c58de1/id:000074%2Csig:11%2Csrc:000000%2Cop:havoc%2Crep:128
Crash 1 file: https://github.com/natalie13m/crashes/blob/master/binaryen-0c58de1/id:000288%2Csig:11%2Csrc:000377%2Cop:havoc%2Crep:128

Crash 1

Address sanitizer output:
==10155==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000956 at pc 0x56469738079d bp 0x7ffffb166400 sp 0x7ffffb1663f0
READ of size 1 at 0x602000000956 thread T0
#0 0x56469738079c in wasm::Asm2WasmPreProcessor::process(char*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/asm2wasm.h:214
#1 0x5646972b59f8 in main /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/tools/asm2wasm.cpp:204
#2 0x7fbf72b041e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
#3 0x5646972c3d8d in _start (/home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm-asan+0x371d8d)

0x602000000956 is located 0 bytes to the right of 6-byte region [0x602000000950,0x602000000956)
allocated by thread T0 here:
#0 0x7fbf73157867 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f867)
#1 0x5646984cff2c in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
#2 0x5646984cff2c in std::allocator_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:444
#3 0x5646984cff2c in std::_Vector_base<char, std::allocator >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343
#4 0x5646984cff2c in std::_Vector_base<char, std::allocator >::_M_create_storage(unsigned long) /usr/include/c++/9/bits/stl_vector.h:358
#5 0x5646984cff2c in std::_Vector_base<char, std::allocator >::_Vector_base(unsigned long, std::allocator const&) /usr/include/c++/9/bits/stl_vector.h:302
#6 0x5646984cff2c in std::vector<char, std::allocator >::vector(unsigned long, char const&, std::allocator const&) /usr/include/c++/9/bits/stl_vector.h:521
#7 0x5646984cff2c in std::vector<char, std::allocator > wasm::read_file<std::vector<char, std::allocator > >(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, wasm::Flags::BinaryOption) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/support/file.cpp:60
#8 0x5646972b5985 in main /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/tools/asm2wasm.cpp:203
#9 0x7fbf72b041e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/asm2wasm.h:214 in wasm::Asm2WasmPreProcessor::process(char*)
Shadow bytes around the buggy address:
0x0c047fff80d0: fa fa 00 00 fa fa 00 02 fa fa fd fd fa fa 00 02
0x0c047fff80e0: fa fa fd fd fa fa 06 fa fa fa 00 00 fa fa 02 fa
0x0c047fff80f0: fa fa 00 00 fa fa 02 fa fa fa 00 00 fa fa 02 fa
0x0c047fff8100: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 02 fa
0x0c047fff8110: fa fa 00 00 fa fa 02 fa fa fa 00 00 fa fa fd fd
=>0x0c047fff8120: fa fa fd fd fa fa 00 00 fa fa[06]fa fa fa fa fa
0x0c047fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10155==ABORTING

Crashwalk output:

(1 of 1) - Hash: 420247b67262a2af2dc8616d80f1faaa.3079cdfd18960b817c9b6bc6da06c16e
---CRASH SUMMARY---
Filename: crash/id:000074,sig:11,src:000000,op:havoc,rep:128
SHA1: 0a34894ca80cbe1e4f138d1146b94e08b2ac939a
Classification: PROBABLY_NOT_EXPLOITABLE
Hash: 420247b67262a2af2dc8616d80f1faaa.3079cdfd18960b817c9b6bc6da06c16e
Command: ./asm2wasm crash/id:000074,sig:11,src:000000,op:havoc,rep:128
Faulting Frame:
operator new(unsigned long) @ 0x00007ffff7e5f1d9: in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.28
Disassembly:
0x00007ffff7ad4397: test dx,dx
0x00007ffff7ad439a: je 0x7ffff7ad42e5 <__GI___libc_malloc+85>
0x00007ffff7ad43a0: lea rax,[rax+rbx8]
0x00007ffff7ad43a4: sub edx,0x1
0x00007ffff7ad43a7: mov r8,QWORD PTR [rax+0x80]
=> 0x00007ffff7ad43ae: mov rsi,QWORD PTR [r8]
0x00007ffff7ad43b1: mov QWORD PTR [rax+0x80],rsi
0x00007ffff7ad43b8: mov WORD PTR [rcx],dx
0x00007ffff7ad43bb: mov QWORD PTR [r8+0x8],0x0
0x00007ffff7ad43c3: jmp 0x7ffff7ad4336 <__GI___libc_malloc+166>
Stack Head (14 entries):
tcache_get @ 0x00007ffff7ad43ae: in (BL)
__GI___libc_malloc @ 0x00007ffff7ad43ae: in (BL)
operator @ 0x00007ffff7e5f1d9: in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.28
__gnu_cxx::new_allocator< @ 0x000055555612a864: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
std::allocator_traits<std @ 0x000055555611f0ce: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
std::_Vector_base<void, @ 0x000055555610e34a: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
std::vector<void*, @ 0x00005555560fed0d: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
std::vector<void*, @ 0x00005555560f4ee4: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
MixedArena::allocSpace @ 0x00005555560e0c30: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::GlobalMixedArena: @ 0x00005555560faa6a: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::ValueBuilder::mak @ 0x00005555560ebfcb: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::ValueBuilder::mak @ 0x00005555560ec030: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x00005555560fe883: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
main @ 0x00005555560d005b: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
Registers:
rax=0x0000555556c8a010 rbx=0x0000000000000000 rcx=0x0000555556c8a010 rdx=0x0000000000000001
rsi=0x0000000000000001 rdi=0x0000000000000008 rbp=0x0000000000000008 rsp=0x00007fffffffc9f0
r8=0x0000000000000000 r9=0x00007ffff7c222f0 r10=0x0000555556c8a010 r11=0x00007ffff7c21be0
r12=0xffffffffffffff50 r13=0x00007fffffffdda0 r14=0x0000000000000000 r15=0x0000000000000000
rip=0x00007ffff7ad43ae efl=0x0000000000010202 cs=0x0000000000000033 ss=0x000000000000002b
ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000
Extra Data:
Description: Access violation near NULL on source operand
Short description: SourceAvNearNull (16/22)
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.
---END SUMMARY---

Crash 2

Address Sanitizer output:

==10774==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62c00000721b at pc 0x5643152ec79d bp 0x7ffd3f906000 sp 0x7ffd3f905ff0
READ of size 1 at 0x62c00000721b thread T0
#0 0x5643152ec79c in wasm::Asm2WasmPreProcessor::process(char*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/asm2wasm.h:214
#1 0x5643152219f8 in main /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/tools/asm2wasm.cpp:204
#2 0x7fdcc2a361e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
#3 0x56431522fd8d in _start (/home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm-asan+0x371d8d)

0x62c00000721b is located 0 bytes to the right of 28699-byte region [0x62c000000200,0x62c00000721b)
allocated by thread T0 here:
#0 0x7fdcc3089867 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f867)
#1 0x56431643bf2c in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
#2 0x56431643bf2c in std::allocator_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:444
#3 0x56431643bf2c in std::_Vector_base<char, std::allocator >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343
#4 0x56431643bf2c in std::_Vector_base<char, std::allocator >::_M_create_storage(unsigned long) /usr/include/c++/9/bits/stl_vector.h:358
#5 0x56431643bf2c in std::_Vector_base<char, std::allocator >::_Vector_base(unsigned long, std::allocator const&) /usr/include/c++/9/bits/stl_vector.h:302
#6 0x56431643bf2c in std::vector<char, std::allocator >::vector(unsigned long, char const&, std::allocator const&) /usr/include/c++/9/bits/stl_vector.h:521
#7 0x56431643bf2c in std::vector<char, std::allocator > wasm::read_file<std::vector<char, std::allocator > >(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, wasm::Flags::BinaryOption) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/support/file.cpp:60
#8 0x564315221985 in main /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/tools/asm2wasm.cpp:203
#9 0x7fdcc2a361e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/asm2wasm.h:214 in wasm::Asm2WasmPreProcessor::process(char*)
Shadow bytes around the buggy address:
0x0c587fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c587fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c587fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c587fff8e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c587fff8e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c587fff8e40: 00 00 00[03]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c587fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c587fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c587fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c587fff8e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c587fff8e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10774==ABORTING

Crashwalk output:

(1 of 1) - Hash: 88f955e0772ffccbb23f1f0cf9404577.88f955e0772ffccbb23f1f0cf9404577
---CRASH SUMMARY---
Filename: crash/id:000288,sig:11,src:000377,op:havoc,rep:128
SHA1: 06258231d3d14fa7d6f2b5910a2da5f40b70612d
Classification: UNKNOWN
Hash: 88f955e0772ffccbb23f1f0cf9404577.88f955e0772ffccbb23f1f0cf9404577
Command: ./asm2wasm crash/id:000288,sig:11,src:000377,op:havoc,rep:128
Faulting Frame:
wasm::Asm2WasmPreProcessor::process @ 0x00005555560f10a4: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
Disassembly:
0x00005555560f1087: mov rax,QWORD PTR [rbp-0x170]
0x00005555560f108e: mov rdi,rax
0x00005555560f1091: call 0x5555560bb1a0 strlen@plt
0x00005555560f1096: mov QWORD PTR [rbp-0x130],rax
0x00005555560f109d: mov rax,QWORD PTR [rbp-0x170]
=> 0x00005555560f10a4: movzx eax,BYTE PTR [rax]
0x00005555560f10a7: cmp al,0x66
0x00005555560f10a9: je 0x5555560f10bd wasm::Asm2WasmPreProcessor::process(char*)+113
0x00005555560f10ab: add QWORD PTR [rbp-0x170],0x1
0x00005555560f10b3: sub QWORD PTR [rbp-0x130],0x1
Stack Head (2 entries):
wasm::Asm2WasmPreProcesso @ 0x00005555560f10a4: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
main @ 0x00005555560cfff6: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
Registers:
rax=0x0000555556ccc000 rbx=0x00007fffffffdb01 rcx=0x0000000000000000 rdx=0x0000555556cc3560
rsi=0x0000555556cc3560 rdi=0x0000555556cc3d80 rbp=0x00007fffffffcc80 rsp=0x00007fffffffcb10
r8=0x00007fffffffdb20 r9=0x00007ffff7c22280 r10=0x00007ffff7def402 r11=0x00007ffff7e89c90
r12=0x00005555560bbd60 r13=0x00007fffffffdda0 r14=0x0000000000000000 r15=0x0000000000000000
rip=0x00005555560f10a4 efl=0x0000000000010286 cs=0x0000000000000033 ss=0x000000000000002b
ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000
Extra Data:
Description: Access violation on source operand
Short description: SourceAv (19/22)
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.
---END SUMMARY---

[kripken]

Thanks @natalie13m !

The current status of asm2wasm is that it is deprecated - it is only used by the old fastcomp backend in emscripten, which will be removed soon. We will remove asm2wasm at that time as well. So this problem is worth fixing, and I think we'd accept a patch if someone is interested, but I think it's relatively low priority (say, compared to a problem found in wasm-opt or other non-deprecated tools).

[tlively]

asm2wasm no longer exists.