Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A abort failure in wasm::Tuple::validate () #4411

Closed
ZFeiXQ opened this issue Dec 25, 2021 · 2 comments
Closed

A abort failure in wasm::Tuple::validate () #4411

ZFeiXQ opened this issue Dec 25, 2021 · 2 comments

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 25, 2021

Version:

version_104

command:

 wasm-as POC6

POC6.zip

Result

Aborted.

bt

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffff4416040 (0x00007ffff4416040)
RCX: 0x7ffff446018b (<__GI_raise+203>:  mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffffb0d0 --> 0x0 
RDI: 0x2 
RBP: 0x7ffff45d5588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
RSP: 0x7fffffffb0d0 --> 0x0 
RIP: 0x7ffff446018b (<__GI_raise+203>:  mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffffffb0d0 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7ffff799e2e0 ("/home/zxq/CVE_testing/project/binaryen/src/wasm-type.h")
R13: 0x1c6 
R14: 0x7ffff79a2ce0 ("type.isSingle()")
R15: 0x60300000e090 --> 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff446017f <__GI_raise+191>:     mov    edi,0x2
   0x7ffff4460184 <__GI_raise+196>:     mov    eax,0xe
   0x7ffff4460189 <__GI_raise+201>:     syscall 
=> 0x7ffff446018b <__GI_raise+203>:     mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff4460193 <__GI_raise+211>:     xor    rax,QWORD PTR fs:0x28
   0x7ffff446019c <__GI_raise+220>:     jne    0x7ffff44601c4 <__GI_raise+260>
   0x7ffff446019e <__GI_raise+222>:     mov    eax,r8d
   0x7ffff44601a1 <__GI_raise+225>:     add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb0d0 --> 0x0 
0008| 0x7fffffffb0d8 --> 0x49cbd0 (<free>:      push   rbp)
0016| 0x7fffffffb0e0 --> 0xfbad8000 --> 0x0 
0024| 0x7fffffffb0e8 --> 0x6120000001c0 --> 0x3a73612d24800005 
0032| 0x7fffffffb0f0 --> 0x612000000225 ("sertion `type.isSingle()' failed.\n")
0040| 0x7fffffffb0f8 --> 0x6120000001c0 --> 0x3a73612d24800005 
0048| 0x7fffffffb100 --> 0x6120000001c0 --> 0x3a73612d24800005 
0056| 0x7fffffffb108 --> 0x612000000247 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff443f859 in __GI_abort () at abort.c:79
#2  0x00007ffff443f729 in __assert_fail_base (fmt=0x7ffff45d5588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff79a2ce0 <str> "type.isSingle()", 
    file=0x7ffff799e2e0 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-type.h", line=0x1c6, function=<optimized out>) at assert.c:92
#3  0x00007ffff4450f36 in __GI___assert_fail (assertion=0x7ffff79a2ce0 <str> "type.isSingle()", file=0x7ffff799e2e0 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-type.h", line=0x1c6, 
    function=0x7ffff79a2d20 <__PRETTY_FUNCTION__._ZN4wasm5Tuple8validateEv> "void wasm::Tuple::validate()") at assert.c:101
#4  0x00007ffff520ff7c in wasm::Tuple::validate (this=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm-type.h:454
#5  0x00007ffff7087705 in wasm::Tuple::Tuple (this=0x7fffffffb660, types=std::vector of length 3, capacity 3 = {...}) at /home/zxq/CVE_testing/project/binaryen/src/wasm-type.h:437
#6  wasm::SExpressionWasmBuilder::parseTypeUse (this=<optimized out>, s=..., startPos=<optimized out>, functionType=..., namedParams=...)
    at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-s-parser.cpp:637
#7  0x00007ffff70890bc in wasm::SExpressionWasmBuilder::parseTypeUse (this=0x7fffffffda40, s=..., startPos=0x4, functionType=...) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-s-parser.cpp:679
#8  0x00007ffff705de99 in wasm::SExpressionWasmBuilder::parseImport (this=<optimized out>, s=...) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-s-parser.cpp:3191
#9  0x00007ffff705adb3 in wasm::SExpressionWasmBuilder::preParseImports (this=<optimized out>, curr=...) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-s-parser.cpp:406
#10 0x00007ffff7056441 in wasm::SExpressionWasmBuilder::SExpressionWasmBuilder (this=<optimized out>, wasm=..., module=..., profile=<optimized out>)
    at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-s-parser.cpp:380
#11 0x00000000004d2a80 in main (argc=<optimized out>, argv=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/tools/wasm-as.cpp:113
#12 0x00007ffff44410b3 in __libc_start_main (main=0x4cef20 <main(int, char const**)>, argc=0x2, argv=0x7fffffffe268, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe258) at ../csu/libc-start.c:308
#13 0x000000000042478e in _start () at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/iostream:7
@aheejin
Copy link
Member

aheejin commented Dec 28, 2021

The file doesn't seem to be a valid wast file. How did you create it?

@aheejin
Copy link
Member

aheejin commented Dec 30, 2021

Will close this for now. (Context: #4410 (comment))

@aheejin aheejin closed this as completed Jan 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants