Skip to content

Assertion failure which results in Access violation near NULL on destination operand in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag::Frag #2904

New issue
New issue
Closed
Closed
Assertion failure which results in Access violation near NULL on destination operand in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag::Frag#2904
@r1ce-m

Description

@r1ce-m
r1ce-m
opened on Jun 10, 2020

Command: ./asm2wasm $FILE

Version: binaryen-0c58de1

Crash file: https://github.com/natalie13m/crashes/blob/master/binaryen-0c58de1/id:000441%2Csig:11%2Csrc:001435%2Cop:havoc%2Crep:16

Address Sanitizer output:

==21694==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x564719092a60 bp 0x7ffc1cda6fb0 sp 0x7ffc1cda6ec0 T0)
==21694==The signal is caused by a WRITE memory access.
==21694==Hint: address points to the zero page.
#0 0x564719092a5f in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag::Frag(char*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:348
#1 0x5647190a8eea in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseExpression(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::ExpressionElement, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:878
#2 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterIdent(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:723
#3 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:403
#4 0x5647190a8d11 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseExpression(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::ExpressionElement, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:897
#5 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterIdent(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:723
#6 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:403
#7 0x5647190a8d11 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseExpression(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::ExpressionElement, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:897
#8 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterIdent(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:723
#9 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:403
#10 0x5647190a8d11 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseExpression(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::ExpressionElement, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:897
#11 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterIdent(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:723
#12 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:403
#13 0x5647190b99fc in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseCall(cashew::Ref, char*&) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:736
#14 0x5647190ae8fb in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseExpression(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::ExpressionElement, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:885
#15 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterIdent(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:723
#16 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:403
#17 0x5647190a8d11 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseExpression(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::ExpressionElement, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:897
#18 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterIdent(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:723
#19 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:403
#20 0x5647190a8d11 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseExpression(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::ExpressionElement, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:897
#21 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterIdent(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:723
#22 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:403
#23 0x5647190a8d11 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseExpression(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::ExpressionElement, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:897
#24 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterIdent(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:723
#25 0x5647190b0415 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:403
#26 0x5647190bcd79 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElementOrStatement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:1057
#27 0x5647190bcd79 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseBlock(char*&, char const*, cashew::IString, cashew::IString) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:1021
#28 0x5647190c88b9 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseBracketedBlock(char*&) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:1033
#29 0x5647190d4e1b in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseFunction(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:513
#30 0x5647190d4e1b in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterKeyword(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:452
#31 0x5647190b0438 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:400
#32 0x5647190bcd79 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElementOrStatement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:1057
#33 0x5647190bcd79 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseBlock(char*&, char const*, cashew::IString, cashew::IString) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:1021
#34 0x5647190c88b9 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseBracketedBlock(char*&) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:1033
#35 0x5647190d4e1b in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseFunction(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:513
#36 0x5647190d4e1b in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseAfterKeyword(cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag&, char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:452
#37 0x5647190b0438 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:400
#38 0x5647190bcd79 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseElementOrStatement(char*&, char const*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:1057
#39 0x5647190bcd79 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseBlock(char*&, char const*, cashew::IString, cashew::IString) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:1021
#40 0x5647190c77b3 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::parseToplevel(char*) /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:1125
#41 0x564718fbdb28 in main /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/tools/asm2wasm.cpp:210
#42 0x7f91ae2b51e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
#43 0x564718fcbd8d in _start (/home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm-asan+0x371d8d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/natalie/Research/Bug/binaryen-0c58de1/binaryen-master/src/emscripten-optimizer/parser.h:348 in cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag::Frag(char*)
==21694==ABORTING

Crashwalk output:

(1 of 1) - Hash: 1dc0deced3a14ae09172f538d77acec7.498f10370c0f2b1a912e5dd54fb548f0
---CRASH SUMMARY---
Filename: crash/id:000441,sig:11,src:001435,op:havoc,rep:16
SHA1: 85b48f1cdd2222412b2e74de5852ef1fee6a0bca
Classification: PROBABLY_EXPLOITABLE
Hash: 1dc0deced3a14ae09172f538d77acec7.498f10370c0f2b1a912e5dd54fb548f0
Command: ./asm2wasm crash/id:000441,sig:11,src:001435,op:havoc,rep:16
Faulting Frame:
cashew::Parser<cashew::Ref, cashew::DotZeroValueBuilder>::Frag::Frag @ 0x000055555611ec0c: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
Disassembly:
0x000055555611ebfa: mov esi,eax
0x000055555611ebfc: mov rdi,rdx
0x000055555611ebff: call 0x5555560bb9d0 strchr@plt
0x000055555611ec04: mov QWORD PTR [rbp-0x10],rax
0x000055555611ec08: mov rax,QWORD PTR [rbp-0x10]
=> 0x000055555611ec0c: mov BYTE PTR [rax],0x0
0x000055555611ec0f: mov rax,QWORD PTR [rbp-0x28]
0x000055555611ec13: mov rdx,QWORD PTR [rbp-0x30]
0x000055555611ec17: lea rcx,[rdx+0x1]
0x000055555611ec1b: mov edx,0x1
Stack Head (36 entries):
cashew::Parser<cashew::Re @ 0x000055555611ec0c: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x0000555556131c92: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x000055555612a505: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x0000555556131e4c: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x000055555612a505: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x0000555556131e4c: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x000055555612a505: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x0000555556131e4c: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x0000555556131b47: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x000055555612a4bd: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x000055555613859e: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x0000555556131d33: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x000055555612a505: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x0000555556131e4c: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x000055555612a505: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
cashew::Parser<cashew::Re @ 0x0000555556131e4c: in /home/natalie/Research/Bug/binaryen-0c58de1/asm2wasm
Registers:
rax=0x0000000000000000 rbx=0x00007fffffffcd70 rcx=0x0000000000000060 rdx=0x0000000000000000
rsi=0x0000000000000022 rdi=0x0000555556cb5680 rbp=0x00007fffffffb4f0 rsp=0x00007fffffffb4c0
r8=0x000055555682ebe1 r9=0x46db6418d0c06e3c r10=0x3ff0000000000000 r11=0xefe6916b8e38e38e
r12=0x00005555560bbd60 r13=0x00007fffffffdda0 r14=0x0000000000000000 r15=0x0000000000000000
rip=0x000055555611ec0c efl=0x0000000000010206 cs=0x0000000000000033 ss=0x000000000000002b
ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000
Extra Data:
Description: Access violation near NULL on destination operand
Short description: DestAvNearNull (15/22)
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
---END SUMMARY---

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions