Stream: git-wasmtime

Topic: wasmtime / issue #3565 out of bound memory access caused ...


view this post on Zulip Wasmtime GitHub notifications bot (Nov 29 2021 at 15:39):

PureWhiteWu opened issue #3565:

Test Case

I've uploaded the code to https://github.com/PureWhiteWu/wasmtime_ub_demo.

Steps to Reproduce

I tried to access some out of bound memory in my rust code using unsafe, and found that it didn't report error in some cases. Instead, it caused UB.

You may clone https://github.com/PureWhiteWu/wasmtime_ub_demo and just call run.sh to execute the test cases.

Expected Results

For tests cases 1m_minus_two_i32, 1m_plus_one, 1m_plus_64k, 1m_plus_64k_plus_one, 2m, should fail with out of bounds memory access.

Actual Results

wasmtime: compiling using cranelift...
wasmtime: running cranelift version...
wasmtime 64k cranelift:
0
wasmtime 64k_plus_one cranelift:
0
wasmtime 1m_minus_four_i32 cranelift:
0
wasmtime 1m_minus_two_i32 cranelift:
-201326592
wasmtime 1m cranelift:
0
wasmtime 1m_plus_one cranelift:
244
wasmtime 1m_plus_64k cranelift:
0 (note: this may change to a random number during different running)
wasmtime 1m_plus_64k_plus_one cranelift:
Error: failed to run main module `target/wasm32-wasi/release/1m_plus_64k_plus_one.wasmtime`

Caused by:
    0: failed to invoke command default
    1: wasm trap: out of bounds memory access
       wasm backtrace:
           0:  0x2b8 - <unknown>!_1m_plus_64k_plus_one::main::h16960bb87b178e85
           1:  0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h048d11a00c6a35d0
           2: 0x18ba - <unknown>!__original_main
           3:  0x279 - <unknown>!_start
           4: 0xb90c - <unknown>!_start.command_export
       note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information

wasmtime 2m cranelift:
Error: failed to run main module `target/wasm32-wasi/release/2m.wasmtime`

Caused by:
    0: failed to invoke command default
    1: wasm trap: out of bounds memory access
       wasm backtrace:
           0:  0x2b8 - <unknown>!_2m::main::h9f0049353c958a74
           1:  0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h6d0aa0bccba5db1c
           2: 0x18ba - <unknown>!__original_main
           3:  0x279 - <unknown>!_start
           4: 0xb90c - <unknown>!_start.command_export
       note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information

wasmtime end...

1m_minus_two_i32 reads from 1m-2 to 1m+2 (an i32), which should failed with out of bounds memory access, but seems it succeed with undefined behaviour.
1m_plus_one, 1m_plus_64k reads only a byte, and should fail with out of bounds memory access, but seems reads unpredictable values too.

Versions and Environment

Wasmtime version or commit: wasmtime 0.31.0

Operating system: Linux 5.4.56 Debian 10

Architecture: amd64 / AMD EPYC 7642 48-Core Processor

view this post on Zulip Wasmtime GitHub notifications bot (Nov 29 2021 at 15:39):

PureWhiteWu labeled issue #3565:

Test Case

I've uploaded the code to https://github.com/PureWhiteWu/wasmtime_ub_demo.

Steps to Reproduce

I tried to access some out of bound memory in my rust code using unsafe, and found that it didn't report error in some cases. Instead, it caused UB.

You may clone https://github.com/PureWhiteWu/wasmtime_ub_demo and just call run.sh to execute the test cases.

Expected Results

For tests cases 1m_minus_two_i32, 1m_plus_one, 1m_plus_64k, 1m_plus_64k_plus_one, 2m, should fail with out of bounds memory access.

Actual Results

wasmtime: compiling using cranelift...
wasmtime: running cranelift version...
wasmtime 64k cranelift:
0
wasmtime 64k_plus_one cranelift:
0
wasmtime 1m_minus_four_i32 cranelift:
0
wasmtime 1m_minus_two_i32 cranelift:
-201326592
wasmtime 1m cranelift:
0
wasmtime 1m_plus_one cranelift:
244
wasmtime 1m_plus_64k cranelift:
0 (note: this may change to a random number during different running)
wasmtime 1m_plus_64k_plus_one cranelift:
Error: failed to run main module `target/wasm32-wasi/release/1m_plus_64k_plus_one.wasmtime`

Caused by:
    0: failed to invoke command default
    1: wasm trap: out of bounds memory access
       wasm backtrace:
           0:  0x2b8 - <unknown>!_1m_plus_64k_plus_one::main::h16960bb87b178e85
           1:  0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h048d11a00c6a35d0
           2: 0x18ba - <unknown>!__original_main
           3:  0x279 - <unknown>!_start
           4: 0xb90c - <unknown>!_start.command_export
       note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information

wasmtime 2m cranelift:
Error: failed to run main module `target/wasm32-wasi/release/2m.wasmtime`

Caused by:
    0: failed to invoke command default
    1: wasm trap: out of bounds memory access
       wasm backtrace:
           0:  0x2b8 - <unknown>!_2m::main::h9f0049353c958a74
           1:  0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h6d0aa0bccba5db1c
           2: 0x18ba - <unknown>!__original_main
           3:  0x279 - <unknown>!_start
           4: 0xb90c - <unknown>!_start.command_export
       note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information

wasmtime end...

1m_minus_two_i32 reads from 1m-2 to 1m+2 (an i32), which should failed with out of bounds memory access, but seems it succeed with undefined behaviour.
1m_plus_one, 1m_plus_64k reads only a byte, and should fail with out of bounds memory access, but seems reads unpredictable values too.

Versions and Environment

Wasmtime version or commit: wasmtime 0.31.0

Operating system: Linux 5.4.56 Debian 10

Architecture: amd64 / AMD EPYC 7642 48-Core Processor

view this post on Zulip Wasmtime GitHub notifications bot (Nov 29 2021 at 15:39):

PureWhiteWu edited issue #3565:

Test Case

I've uploaded the code to https://github.com/PureWhiteWu/wasmtime_ub_demo.

Steps to Reproduce

I tried to access some out of bound memory in my rust code using unsafe, and found that it didn't report error in some cases. Instead, it caused UB.

You may clone https://github.com/PureWhiteWu/wasmtime_ub_demo and just call run.sh to execute the test cases.

Expected Results

For tests cases 1m_minus_two_i32, 1m_plus_one, 1m_plus_64k, 1m_plus_64k_plus_one, 2m, should fail with out of bounds memory access.

Actual Results

wasmtime: compiling using cranelift...
wasmtime: running cranelift version...
wasmtime 64k cranelift:
0
wasmtime 64k_plus_one cranelift:
0
wasmtime 1m_minus_four_i32 cranelift:
0
wasmtime 1m_minus_two_i32 cranelift:
-201326592
wasmtime 1m cranelift:
0
wasmtime 1m_plus_one cranelift:
244
wasmtime 1m_plus_64k cranelift:
0 (note: this may change to a random number during different running)
wasmtime 1m_plus_64k_plus_one cranelift:
Error: failed to run main module `target/wasm32-wasi/release/1m_plus_64k_plus_one.wasmtime`

Caused by:
    0: failed to invoke command default
    1: wasm trap: out of bounds memory access
       wasm backtrace:
           0:  0x2b8 - <unknown>!_1m_plus_64k_plus_one::main::h16960bb87b178e85
           1:  0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h048d11a00c6a35d0
           2: 0x18ba - <unknown>!__original_main
           3:  0x279 - <unknown>!_start
           4: 0xb90c - <unknown>!_start.command_export
       note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information

wasmtime 2m cranelift:
Error: failed to run main module `target/wasm32-wasi/release/2m.wasmtime`

Caused by:
    0: failed to invoke command default
    1: wasm trap: out of bounds memory access
       wasm backtrace:
           0:  0x2b8 - <unknown>!_2m::main::h9f0049353c958a74
           1:  0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h6d0aa0bccba5db1c
           2: 0x18ba - <unknown>!__original_main
           3:  0x279 - <unknown>!_start
           4: 0xb90c - <unknown>!_start.command_export
       note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information

wasmtime end...

1m_minus_two_i32 reads from 1m-2 to 1m+2 (an i32), which should failed with out of bounds memory access, but seems it succeed with undefined behaviour.
1m_plus_one, 1m_plus_64k reads only a byte, and should fail with out of bounds memory access, but seems reads unpredictable values too.

Versions and Environment

Wasmtime version or commit: wasmtime 0.31.0

Operating system: Linux 5.4.56 Debian 10

Architecture: amd64 / AMD EPYC 7642 48-Core Processor

view this post on Zulip Wasmtime GitHub notifications bot (Nov 29 2021 at 15:58):

bjorn3 commented on issue #3565:

I just checked 1m_minus_two_i32. The compiled wasm file specifies a linear memory of 17 pages. As a wasm page is 64k, this means that the first 1088KiB of the linear memory is fully readable and writable. This is exactly 1MiB + 64KiB. 1m_minus_two_i32 and 1m_plus_one should thus succeed. 1m_plus_64k succeeding would be an off-by-one error in the bounds check of wasmtime if I did my math correctly. 1m_plus_64k_plus_one and 2m give an out of bounds error as intended.

All examples invoke UB at the Rust level as you dereference a pointer created from an arbitrary integer, but this does not translate to the wasm level. 1m_plus_64k_plus_one, 2m and I think 1m_plus_64k are defined as trapping, but the rest is fully defined at wasm level.

view this post on Zulip Wasmtime GitHub notifications bot (Nov 29 2021 at 15:59):

alexcrichton commented on issue #3565:

Thanks for the report but I believe that this is all working as intended. Looking at the modules themselves it appears that most of them have a memory with 17 pages of memory, which is 1MB plus 64k, which I believe explains why all the tests exhibit the behavior that they do. Otherwise though I believe everything is in working order with the wasm spec, so I'm going to close this.

view this post on Zulip Wasmtime GitHub notifications bot (Nov 29 2021 at 15:59):

alexcrichton closed issue #3565:

Test Case

I've uploaded the code to https://github.com/PureWhiteWu/wasmtime_ub_demo.

Steps to Reproduce

I tried to access some out of bound memory in my rust code using unsafe, and found that it didn't report error in some cases. Instead, it caused UB.

You may clone https://github.com/PureWhiteWu/wasmtime_ub_demo and just call run.sh to execute the test cases.

Expected Results

For tests cases 1m_minus_two_i32, 1m_plus_one, 1m_plus_64k, 1m_plus_64k_plus_one, 2m, should fail with out of bounds memory access.

Actual Results

wasmtime: compiling using cranelift...
wasmtime: running cranelift version...
wasmtime 64k cranelift:
0
wasmtime 64k_plus_one cranelift:
0
wasmtime 1m_minus_four_i32 cranelift:
0
wasmtime 1m_minus_two_i32 cranelift:
-201326592
wasmtime 1m cranelift:
0
wasmtime 1m_plus_one cranelift:
244
wasmtime 1m_plus_64k cranelift:
0 (note: this may change to a random number during different running)
wasmtime 1m_plus_64k_plus_one cranelift:
Error: failed to run main module `target/wasm32-wasi/release/1m_plus_64k_plus_one.wasmtime`

Caused by:
    0: failed to invoke command default
    1: wasm trap: out of bounds memory access
       wasm backtrace:
           0:  0x2b8 - <unknown>!_1m_plus_64k_plus_one::main::h16960bb87b178e85
           1:  0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h048d11a00c6a35d0
           2: 0x18ba - <unknown>!__original_main
           3:  0x279 - <unknown>!_start
           4: 0xb90c - <unknown>!_start.command_export
       note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information

wasmtime 2m cranelift:
Error: failed to run main module `target/wasm32-wasi/release/2m.wasmtime`

Caused by:
    0: failed to invoke command default
    1: wasm trap: out of bounds memory access
       wasm backtrace:
           0:  0x2b8 - <unknown>!_2m::main::h9f0049353c958a74
           1:  0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h6d0aa0bccba5db1c
           2: 0x18ba - <unknown>!__original_main
           3:  0x279 - <unknown>!_start
           4: 0xb90c - <unknown>!_start.command_export
       note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information

wasmtime end...

1m_minus_two_i32 reads from 1m-2 to 1m+2 (an i32), which should failed with out of bounds memory access, but seems it succeed with undefined behaviour.
1m_plus_one, 1m_plus_64k reads only a byte, and should fail with out of bounds memory access, but seems reads unpredictable values too.

Versions and Environment

Wasmtime version or commit: wasmtime 0.31.0

Operating system: Linux 5.4.56 Debian 10

Architecture: amd64 / AMD EPYC 7642 48-Core Processor

view this post on Zulip Wasmtime GitHub notifications bot (Nov 29 2021 at 16:05):

PureWhiteWu commented on issue #3565:

Oh you are right! This is because I invoke UB in Rust not wasmtime.
Thanks for your reply!


Last updated: Dec 23 2024 at 12:05 UTC