Light Mode

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

[Bug] Assertion failed type.IsReferenceWithIndex() in wabt::convertRefNullToRef #2675

Open
Open
[Bug] Assertion failed type.IsReferenceWithIndex() in wabt::convertRefNullToRef#2675

Description

Description

We encountered a SIGABRT (Assertion Failure) in wasm-interp. The crash occurs within the type checker logic when processing a malformed WebAssembly binary using the --enable-all flag.

The assertion fails in wabt::convertRefNullToRef, which is called during the validation of the ref.as_non_null instruction. This indicates that the validator encountered a reference type that it expected to have a type index, but the actual type did not satisfy IsReferenceWithIndex().

Environment

  • OS: Linux x86_64
  • Complier: Clang
  • Tools: gdb

Vulnerability Details

  • Target: wasm-interp
  • Crash Type: Assertion Failure (SIGABRT)
  • Location: src/type-checker.cc:588
  • Assertion: Assertion type.IsReferenceWithIndex() failed
  • Root Cause Analysis: The stack trace shows the path: ReadCodeSection -> ReadFunctionBody -> ReadInstructions -> OnRefAsNonNullExpr -> SharedValidator::OnRefAsNonNull -> TypeChecker::OnRefAsNonNullExpr -> convertRefNullToRef. The function convertRefNullToRef assumes the incoming type is a reference with an index. However, the input binary seemingly provides a type that violates this assumption, triggering the assertion in Debug builds

Reproduce

gdb --args ./wasm-interp --enable-all ./repro
r
bt

Download Link: repro

Stack Trace (GDB)

) at /src/wabt/src/type-checker.cc:941 #7 0x00005573df7c2db1 in wabt::SharedValidator::OnRefAsNonNull ( this=, loc=...) at /src/wabt/src/shared-validator.cc:1135 #8 0x00005573df63c77d in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnRefAsNonNullExpr (this=0x7f9afd600860) at /src/wabt/src/interp/binary-reader-interp.cc:1473 #9 0x00005573df768e24 in wabt::(anonymous namespace)::BinaryReader::ReadInstructions (this=, end_offset=, context=) at /src/wabt/src/binary-reader.cc:1945 #10 0x00005573df777631 in wabt::(anonymous namespace)::BinaryReader::ReadFunctionBody (this=0x59dc, end_offset=23004) at /src/wabt/src/binary-reader.cc:735 #11 0x00005573df756449 in wabt::(anonymous namespace)::BinaryReader::ReadCodeSection (this=0x7f9afd400220, section_size=) at /src/wabt/src/binary-reader.cc:3003 #12 0x00005573df7458ea in wabt::(anonymous namespace)::BinaryReader::ReadSection--Type for more, q to quit, c to continue without paging-- s (this=0x7f9afd400220, options=...) at /src/wabt/src/binary-reader.cc:3156 #13 0x00005573df744081 in wabt::(anonymous namespace)::BinaryReader::ReadModule (this=0x7f9afd400220, options=...) at /src/wabt/src/binary-reader.cc:3230 #14 wabt::ReadBinary (data=0x5120000001c0, size=279, delegate=, options=...) at /src/wabt/src/binary-reader.cc:3252 #15 0x00005573df61d79c in wabt::interp::ReadBinaryInterp (filename=..., data=, size=, options=..., errors=0x7f9afd700610, out_module=) at /src/wabt/src/interp/binary-reader-interp.cc:1821 #16 0x00005573df5d69d4 in ReadModule ( module_filename=0x7fff4b4085a1 "/src/wabt/fuzz_out/master/crashes/id:000001,sig:06,src:0037 72,time:27357795,execs:1488824,op:havoc,rep:1", errors=0x7f9afd700610, out_module=) at /src/wabt/src/tools/wasm-interp.cc:324 #17 ReadAndRunModule ( module_filename=0x7fff4b4085a1 "/src/wabt/fuzz_out/master/crashes/id:000001,sig:06,src:0037 72,time:27357795,execs:1488824,op:havoc,rep:1") at /src/wabt/src/tools/wasm-interp.cc:351 #18 ProgramMain (argc=, argv=) at /src/wabt/src/tools/wasm-interp.cc:450 #19 0x00007f9afef781ca in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #20 0x00007f9afef7828b in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #21 0x00005573df4ee935 in _start ()">wasm-interp: /src/wabt/src/type-checker.cc:588: Type wabt::convertRefNullToRef(Type): Assertion `type.IsReferenceWithIndex()' failed.

Program received signal SIGABRT, Aborted.
0x00007f9afefecb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007f9afefecb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f9afef9327e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f9afef768ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f9afef7681b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007f9afef89517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x00005573df7f3174 in wabt::convertRefNullToRef (type=...)
at /src/wabt/src/type-checker.cc:588
#6 wabt::TypeChecker::OnRefAsNonNullExpr (this=)
at /src/wabt/src/type-checker.cc:941
#7 0x00005573df7c2db1 in wabt::SharedValidator::OnRefAsNonNull (
this=, loc=...) at /src/wabt/src/shared-validator.cc:1135
#8 0x00005573df63c77d in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnRefAsNonNullExpr (this=0x7f9afd600860)
at /src/wabt/src/interp/binary-reader-interp.cc:1473
#9 0x00005573df768e24 in wabt::(anonymous namespace)::BinaryReader::ReadInstructions (this=, end_offset=,
context=) at /src/wabt/src/binary-reader.cc:1945
#10 0x00005573df777631 in wabt::(anonymous namespace)::BinaryReader::ReadFunctionBody (this=0x59dc, end_offset=23004) at /src/wabt/src/binary-reader.cc:735
#11 0x00005573df756449 in wabt::(anonymous namespace)::BinaryReader::ReadCodeSection (this=0x7f9afd400220, section_size=)
at /src/wabt/src/binary-reader.cc:3003
#12 0x00005573df7458ea in wabt::(anonymous namespace)::BinaryReader::ReadSection--Type for more, q to quit, c to continue without paging--
s (this=0x7f9afd400220, options=...) at /src/wabt/src/binary-reader.cc:3156
#13 0x00005573df744081 in wabt::(anonymous namespace)::BinaryReader::ReadModule
(this=0x7f9afd400220, options=...) at /src/wabt/src/binary-reader.cc:3230
#14 wabt::ReadBinary (data=0x5120000001c0, size=279, delegate=,
options=...) at /src/wabt/src/binary-reader.cc:3252
#15 0x00005573df61d79c in wabt::interp::ReadBinaryInterp (filename=...,
data=, size=, options=...,
errors=0x7f9afd700610, out_module=)
at /src/wabt/src/interp/binary-reader-interp.cc:1821
#16 0x00005573df5d69d4 in ReadModule (
module_filename=0x7fff4b4085a1 "/src/wabt/fuzz_out/master/crashes/id:000001,sig:06,src:0037 72,time:27357795,execs:1488824,op:havoc,rep:1",
errors=0x7f9afd700610, out_module=)
at /src/wabt/src/tools/wasm-interp.cc:324
#17 ReadAndRunModule (
module_filename=0x7fff4b4085a1 "/src/wabt/fuzz_out/master/crashes/id:000001,sig:06,src:003772,time:27357795,execs:1488824,op:havoc,rep:1")
at /src/wabt/src/tools/wasm-interp.cc:351
#18 ProgramMain (argc=, argv=)
at /src/wabt/src/tools/wasm-interp.cc:450
#19 0x00007f9afef781ca in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#20 0x00007f9afef7828b in __libc_start_main ()
from /lib/x86_64-linux-gnu/libc.so.6
#21 0x00005573df4ee935 in _start ()

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions