Memory Corruption Vulnerability: Invalid WRITE in uvwasi_serdes_write_uint32_t during WASI Execution #857
Description
Hi,
Running fizzy-wasi with poc1.wasm triggers a segmentation fault due to an invalid memory WRITE in the uvwasi_serdes_write_uint32_t function, potentially leading to memory corruption.
build
mkdir build && cd build
cmake -DFIZZY_WASI=ON -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_LINKER_FLAGS="-fsanitize=address" ..
cmake --build .
Proof-Of-Concept
julianwu@RLab:~/Work/WebAssembly/fizzy/build/bin/crashes_output$ ../../../../fizzy-test/fizzy/build/bin/fizzy-wasi poc1.wasm
hello �orld
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4094410==ERROR: AddressSanitizer: SEGV on unknown address 0x6311000147ef (pc 0x56487025e2a4 bp 0x0fffabb40c20 sp 0x7ffd5da060a8 T0)
==4094410==The signal is caused by a WRITE memory access.
#0 0x56487025e2a4 in uvwasi_serdes_write_uint32_t (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0xbe2a4)
#1 0x5648701bbbef in fd_write /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:56
#2 0x5648701dd7f4 in execute<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:570
#3 0x5648701e1a59 in invoke_function<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:540
#4 0x5648701e1a59 in execute<false> /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:665
#5 0x5648701ed954 in fizzy::execute(fizzy::Instance&, unsigned int, fizzy::Value const*) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/lib/fizzy/execute.cpp:1626
#6 0x5648701bc732 in fizzy::wasi::run(fizzy::wasi::UVWASI&, fizzy::Instance&, int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:215
#7 0x5648701c2f56 in fizzy::wasi::run(std::basic_string_view<unsigned char, std::char_traits<unsigned char> >, int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:232
#8 0x5648701c6142 in fizzy::wasi::load_and_run(int, char const**, std::ostream&) /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/wasi.cpp:241
#9 0x5648701b9bd5 in main /home/julianwu/Work/WebAssembly/fizzy-test/fizzy/tools/wasi/main.cpp:19
#10 0x7f93368b0d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x7f93368b0e3f in __libc_start_main_impl ../csu/libc-start.c:392
#12 0x5648701b9e34 in _start (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0x19e34)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/julianwu/Work/WebAssembly/fizzy-test/fizzy/build/bin/fizzy-wasi+0xbe2a4) in uvwasi_serdes_write_uint32_t
==4094410==ABORTING