Wasmtime GitHub notifications bot (Nov 29 2021 at 15:39): Wasmtime GitHub notifications bot (Nov 29 2021 at 15:39):PureWhiteWu opened issue #3565:
Test Case
I've uploaded the code to https://github.com/PureWhiteWu/wasmtime_ub_demo.
Steps to Reproduce
I tried to access some out of bound memory in my rust code using unsafe, and found that it didn't report error in some cases. Instead, it caused UB.
You may clone https://github.com/PureWhiteWu/wasmtime_ub_demo and just call
run.shto execute the test cases.Expected Results
For tests cases
1m_minus_two_i32,1m_plus_one,1m_plus_64k,1m_plus_64k_plus_one,2m, should fail without of bounds memory access.Actual Results
wasmtime: compiling using cranelift... wasmtime: running cranelift version... wasmtime 64k cranelift: 0 wasmtime 64k_plus_one cranelift: 0 wasmtime 1m_minus_four_i32 cranelift: 0 wasmtime 1m_minus_two_i32 cranelift: -201326592 wasmtime 1m cranelift: 0 wasmtime 1m_plus_one cranelift: 244 wasmtime 1m_plus_64k cranelift: 0 (note: this may change to a random number during different running) wasmtime 1m_plus_64k_plus_one cranelift: Error: failed to run main module `target/wasm32-wasi/release/1m_plus_64k_plus_one.wasmtime` Caused by: 0: failed to invoke command default 1: wasm trap: out of bounds memory access wasm backtrace: 0: 0x2b8 - <unknown>!_1m_plus_64k_plus_one::main::h16960bb87b178e85 1: 0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h048d11a00c6a35d0 2: 0x18ba - <unknown>!__original_main 3: 0x279 - <unknown>!_start 4: 0xb90c - <unknown>!_start.command_export note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information wasmtime 2m cranelift: Error: failed to run main module `target/wasm32-wasi/release/2m.wasmtime` Caused by: 0: failed to invoke command default 1: wasm trap: out of bounds memory access wasm backtrace: 0: 0x2b8 - <unknown>!_2m::main::h9f0049353c958a74 1: 0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h6d0aa0bccba5db1c 2: 0x18ba - <unknown>!__original_main 3: 0x279 - <unknown>!_start 4: 0xb90c - <unknown>!_start.command_export note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information wasmtime end...
1m_minus_two_i32reads from 1m-2 to 1m+2 (an i32), which should failed without of bounds memory access, but seems it succeed with undefined behaviour.
1m_plus_one,1m_plus_64kreads only a byte, and should fail without of bounds memory access, but seems reads unpredictable values too.Versions and Environment
Wasmtime version or commit: wasmtime 0.31.0
Operating system: Linux 5.4.56 Debian 10
Architecture: amd64 / AMD EPYC 7642 48-Core Processor
Wasmtime GitHub notifications bot (Nov 29 2021 at 15:39):PureWhiteWu labeled issue #3565:
Test Case
I've uploaded the code to https://github.com/PureWhiteWu/wasmtime_ub_demo.
Steps to Reproduce
I tried to access some out of bound memory in my rust code using unsafe, and found that it didn't report error in some cases. Instead, it caused UB.
You may clone https://github.com/PureWhiteWu/wasmtime_ub_demo and just call
run.shto execute the test cases.Expected Results
For tests cases
1m_minus_two_i32,1m_plus_one,1m_plus_64k,1m_plus_64k_plus_one,2m, should fail without of bounds memory access.Actual Results
wasmtime: compiling using cranelift... wasmtime: running cranelift version... wasmtime 64k cranelift: 0 wasmtime 64k_plus_one cranelift: 0 wasmtime 1m_minus_four_i32 cranelift: 0 wasmtime 1m_minus_two_i32 cranelift: -201326592 wasmtime 1m cranelift: 0 wasmtime 1m_plus_one cranelift: 244 wasmtime 1m_plus_64k cranelift: 0 (note: this may change to a random number during different running) wasmtime 1m_plus_64k_plus_one cranelift: Error: failed to run main module `target/wasm32-wasi/release/1m_plus_64k_plus_one.wasmtime` Caused by: 0: failed to invoke command default 1: wasm trap: out of bounds memory access wasm backtrace: 0: 0x2b8 - <unknown>!_1m_plus_64k_plus_one::main::h16960bb87b178e85 1: 0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h048d11a00c6a35d0 2: 0x18ba - <unknown>!__original_main 3: 0x279 - <unknown>!_start 4: 0xb90c - <unknown>!_start.command_export note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information wasmtime 2m cranelift: Error: failed to run main module `target/wasm32-wasi/release/2m.wasmtime` Caused by: 0: failed to invoke command default 1: wasm trap: out of bounds memory access wasm backtrace: 0: 0x2b8 - <unknown>!_2m::main::h9f0049353c958a74 1: 0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h6d0aa0bccba5db1c 2: 0x18ba - <unknown>!__original_main 3: 0x279 - <unknown>!_start 4: 0xb90c - <unknown>!_start.command_export note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information wasmtime end...
1m_minus_two_i32reads from 1m-2 to 1m+2 (an i32), which should failed without of bounds memory access, but seems it succeed with undefined behaviour.
1m_plus_one,1m_plus_64kreads only a byte, and should fail without of bounds memory access, but seems reads unpredictable values too.Versions and Environment
Wasmtime version or commit: wasmtime 0.31.0
Operating system: Linux 5.4.56 Debian 10
Architecture: amd64 / AMD EPYC 7642 48-Core Processor
Wasmtime GitHub notifications bot (Nov 29 2021 at 15:39):PureWhiteWu edited issue #3565:
Test Case
I've uploaded the code to https://github.com/PureWhiteWu/wasmtime_ub_demo.
Steps to Reproduce
I tried to access some out of bound memory in my rust code using unsafe, and found that it didn't report error in some cases. Instead, it caused UB.
You may clone https://github.com/PureWhiteWu/wasmtime_ub_demo and just call
run.shto execute the test cases.Expected Results
For tests cases
1m_minus_two_i32,1m_plus_one,1m_plus_64k,1m_plus_64k_plus_one,2m, should fail without of bounds memory access.Actual Results
wasmtime: compiling using cranelift... wasmtime: running cranelift version... wasmtime 64k cranelift: 0 wasmtime 64k_plus_one cranelift: 0 wasmtime 1m_minus_four_i32 cranelift: 0 wasmtime 1m_minus_two_i32 cranelift: -201326592 wasmtime 1m cranelift: 0 wasmtime 1m_plus_one cranelift: 244 wasmtime 1m_plus_64k cranelift: 0 (note: this may change to a random number during different running) wasmtime 1m_plus_64k_plus_one cranelift: Error: failed to run main module `target/wasm32-wasi/release/1m_plus_64k_plus_one.wasmtime` Caused by: 0: failed to invoke command default 1: wasm trap: out of bounds memory access wasm backtrace: 0: 0x2b8 - <unknown>!_1m_plus_64k_plus_one::main::h16960bb87b178e85 1: 0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h048d11a00c6a35d0 2: 0x18ba - <unknown>!__original_main 3: 0x279 - <unknown>!_start 4: 0xb90c - <unknown>!_start.command_export note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information wasmtime 2m cranelift: Error: failed to run main module `target/wasm32-wasi/release/2m.wasmtime` Caused by: 0: failed to invoke command default 1: wasm trap: out of bounds memory access wasm backtrace: 0: 0x2b8 - <unknown>!_2m::main::h9f0049353c958a74 1: 0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h6d0aa0bccba5db1c 2: 0x18ba - <unknown>!__original_main 3: 0x279 - <unknown>!_start 4: 0xb90c - <unknown>!_start.command_export note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information wasmtime end...
1m_minus_two_i32reads from 1m-2 to 1m+2 (an i32), which should failed without of bounds memory access, but seems it succeed with undefined behaviour.
1m_plus_one,1m_plus_64kreads only a byte, and should fail without of bounds memory access, but seems reads unpredictable values too.Versions and Environment
Wasmtime version or commit: wasmtime 0.31.0
Operating system: Linux 5.4.56 Debian 10
Architecture: amd64 / AMD EPYC 7642 48-Core Processor
Wasmtime GitHub notifications bot (Nov 29 2021 at 15:58):bjorn3 commented on issue #3565:
I just checked
1m_minus_two_i32. The compiled wasm file specifies a linear memory of 17 pages. As a wasm page is 64k, this means that the first 1088KiB of the linear memory is fully readable and writable. This is exactly 1MiB + 64KiB.1m_minus_two_i32and1m_plus_oneshould thus succeed.1m_plus_64ksucceeding would be an off-by-one error in the bounds check of wasmtime if I did my math correctly.1m_plus_64k_plus_oneand2mgive an out of bounds error as intended.All examples invoke UB at the Rust level as you dereference a pointer created from an arbitrary integer, but this does not translate to the wasm level.
1m_plus_64k_plus_one,2mand I think1m_plus_64kare defined as trapping, but the rest is fully defined at wasm level.
Wasmtime GitHub notifications bot (Nov 29 2021 at 15:59):alexcrichton commented on issue #3565:
Thanks for the report but I believe that this is all working as intended. Looking at the modules themselves it appears that most of them have a
memorywith 17 pages of memory, which is 1MB plus 64k, which I believe explains why all the tests exhibit the behavior that they do. Otherwise though I believe everything is in working order with the wasm spec, so I'm going to close this.
Wasmtime GitHub notifications bot (Nov 29 2021 at 15:59):alexcrichton closed issue #3565:
Test Case
I've uploaded the code to https://github.com/PureWhiteWu/wasmtime_ub_demo.
Steps to Reproduce
I tried to access some out of bound memory in my rust code using unsafe, and found that it didn't report error in some cases. Instead, it caused UB.
You may clone https://github.com/PureWhiteWu/wasmtime_ub_demo and just call
run.shto execute the test cases.Expected Results
For tests cases
1m_minus_two_i32,1m_plus_one,1m_plus_64k,1m_plus_64k_plus_one,2m, should fail without of bounds memory access.Actual Results
wasmtime: compiling using cranelift... wasmtime: running cranelift version... wasmtime 64k cranelift: 0 wasmtime 64k_plus_one cranelift: 0 wasmtime 1m_minus_four_i32 cranelift: 0 wasmtime 1m_minus_two_i32 cranelift: -201326592 wasmtime 1m cranelift: 0 wasmtime 1m_plus_one cranelift: 244 wasmtime 1m_plus_64k cranelift: 0 (note: this may change to a random number during different running) wasmtime 1m_plus_64k_plus_one cranelift: Error: failed to run main module `target/wasm32-wasi/release/1m_plus_64k_plus_one.wasmtime` Caused by: 0: failed to invoke command default 1: wasm trap: out of bounds memory access wasm backtrace: 0: 0x2b8 - <unknown>!_1m_plus_64k_plus_one::main::h16960bb87b178e85 1: 0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h048d11a00c6a35d0 2: 0x18ba - <unknown>!__original_main 3: 0x279 - <unknown>!_start 4: 0xb90c - <unknown>!_start.command_export note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information wasmtime 2m cranelift: Error: failed to run main module `target/wasm32-wasi/release/2m.wasmtime` Caused by: 0: failed to invoke command default 1: wasm trap: out of bounds memory access wasm backtrace: 0: 0x2b8 - <unknown>!_2m::main::h9f0049353c958a74 1: 0x293 - <unknown>!std::sys_common::backtrace::__rust_begin_short_backtrace::h6d0aa0bccba5db1c 2: 0x18ba - <unknown>!__original_main 3: 0x279 - <unknown>!_start 4: 0xb90c - <unknown>!_start.command_export note: using the `WASMTIME_BACKTRACE_DETAILS=1` environment variable to may show more debugging information wasmtime end...
1m_minus_two_i32reads from 1m-2 to 1m+2 (an i32), which should failed without of bounds memory access, but seems it succeed with undefined behaviour.
1m_plus_one,1m_plus_64kreads only a byte, and should fail without of bounds memory access, but seems reads unpredictable values too.Versions and Environment
Wasmtime version or commit: wasmtime 0.31.0
Operating system: Linux 5.4.56 Debian 10
Architecture: amd64 / AMD EPYC 7642 48-Core Processor
Wasmtime GitHub notifications bot (Nov 29 2021 at 16:05):PureWhiteWu commented on issue #3565:
Oh you are right! This is because I invoke UB in Rust not wasmtime.
Thanks for your reply!
Last updated: Nov 22 2024 at 16:03 UTC