Wasmtime GitHub notifications bot (Feb 14 2024 at 02:47): Wasmtime GitHub notifications bot (Feb 14 2024 at 02:47):khagankhan added the bug label to Issue #7935.
Wasmtime GitHub notifications bot (Feb 14 2024 at 02:47):khagankhan opened issue #7935:
Thanks for filing a bug report! Please fill out the TODOs below.
Note: if you want to report a security issue, please read our security policy!
Test Case
potential_bug.wat:
potential_bug.wat.txt
potential_bug.wasm:
potential_bug.wasm.txtThe test case:
cat potential_bug.wat:(module (memory $mem 1) (table 0 funcref) (elem (i32.const 0)) (func $main (export "_main") (result i32) (local $i32_storage i32) (local $i64_storage i64) (local $f32_storage f32) (local $f64_storage f64) (local $lift_2 i32) (local $lift_1 i32) local.get $lift_2 local.tee $lift_1 local.set $lift_1 i32.const 329 i32.const 682 i32.load16_s offset=94 align=1 i32.const 639 i32.load8_u offset=90 align=1 i32.shl i32.sub))Steps to Reproduce
- First, build
wasmtimewith necessary flags:git clone --recursive https://github.com/bytecodealliance/wasmtime.git cd wasmtime RUSTFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' RUSTDOCFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' cargo build -Zbuild-std --target x86_64-unknown-linux-gnu
Second, make the test case ready:
wat2wasm potential_bug.wat -o potential_bug.wasm
You can just downloadpotential_bug.wasmthat I have added in the beginning to avoid the above step. Please remove.txtextension when you download.watand.wasmfiles.Third, run the test case on wasmtime:
./target/x86_64-unknown-linux-gnu/debug/wasmtime potential_bug.wasmExpected Results
Wasmtime should execute the WebAssembly module without encountering uninitialized memory use issues, ensuring all memory operations are safely handled.
For example, with the same procedure of building
wasmisuccessfully runs the test case:root@node0:/users/khan22/wasmoi/fuzz/wasmi# ./target/x86_64-unknown-linux-gnu/debug/wasmi_cli potential_bug.wasm --invoke _main executing File("potential_bug.wasm")::_main() ... 329Actual Results
Sanitizer gives warning and AFL++ takes it as a crash. Here is the sanitizer output:
root@node0:/users/khan22/wasmoi/fuzz/wasmtime# ./target/x86_64-unknown-linux-gnu/debug/wasmtime potential_bug.wasm Uninitialized bytes in write at offset 0 inside [0x71a000000c00, 1389) ==99529==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55feb9f69cec in std::sys::pal::unix::fd::FileDesc::write::ha3fc832500e5c238 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fd.rs:264:13 #1 0x55feb9c28850 in std::sys::pal::unix::fs::File::write::h41198bef047dc205 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fs.rs:1255:9 #2 0x55feb9b58e4d in _$LT$$RF$std..fs..File$u20$as$u20$std..io..Write$GT$::write::haa08d98cd48c315b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:793:9 #3 0x55feb9b5985d in _$LT$std..fs..File$u20$as$u20$std..io..Write$GT$::write::h854811752eb88ea7 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:842:9 #4 0x55feb9b5e664 in std::io::Write::write_all::hded388dcb1f163a2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/mod.rs:1714:19 #5 0x55feb595c7fa in wasmtime_cache::fs_write_atomic::_$u7b$$u7b$closure$u7d$$u7d$::h7b8f9b0146604dc3 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:229:30 #6 0x55feb57a2db5 in core::result::Result$LT$T$C$E$GT$::and_then::h24c16bdee1bf274d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/result.rs:1320:22 #7 0x55feb56ea363 in wasmtime_cache::fs_write_atomic::h61d37a247ffb4a3b /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:225:5 #8 0x55feb56e8836 in wasmtime_cache::ModuleCacheEntryInner::update_data::h7a26a86ac4b18b69 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:196:15 #9 0x55feb050e526 in wasmtime_cache::ModuleCacheEntry::get_data_raw::h0e0ce5e69d9bf477 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:101:16 #10 0x55feb00ece98 in wasmtime::runtime::module::Module::from_binary::he3ce7e6771eab48a /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:343:46 #11 0x55fea8d822c3 in wasmtime::runtime::module::Module::new::h7d945685bf10fea3 /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:245:9 #12 0x55fea5c34f5d in wasmtime_cli::common::RunCommon::load_module_contents::h16c473648fed03ba /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:210:47 #13 0x55fea5a4a12b in wasmtime_cli::common::RunCommon::load_module::h37377c99e08814f3 /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:143:24 #14 0x55fea91d97fc in wasmtime_cli::commands::run::RunCommand::execute::h9d0ccf838554191f /users/khan22/wasmoi/fuzz/wasmtime/src/commands/run.rs:133:20 #15 0x55fea411011c in wasmtime::Wasmtime::execute::ha7c5e9271a89675e /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:83:35 #16 0x55fea410a42f in wasmtime::old_cli::main::hd579db9ac12dc4cd /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:178:28 #17 0x55fea4110365 in wasmtime::main::h814a31c86eda7736 /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:108:12 #18 0x55fea412cb75 in core::ops::function::FnOnce::call_once::hf1d12be993795a4b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5 #19 0x55fea411d27f in std::sys_common::backtrace::__rust_begin_short_backtrace::hb713405373e5f485 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:155:18 #20 0x55fea41259c9 in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::had0d421972d35716 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:166:18 #21 0x55feb993f122 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h552cf6c368aa488d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:284:13 #22 0x55feb991cca5 in std::panicking::try::do_call::h27b746885389faf6 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40 #23 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02 #24 0x55feb99199ac in std::panicking::try::h5c538a58f332d352 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19 #25 0x55feb9beaaca in std::panic::catch_unwind::hacc2bca7f2a4ae46 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14 #26 0x55feb9ab2828 in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h6a0336a05b99c435 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:48 #27 0x55feb991d088 in std::panicking::try::do_call::h8855f39db5a0a436 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40 #28 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02 #29 0x55feb991af58 in std::panicking::try::hb52674eb58a96b04 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19 #30 0x55feb9beac1a in std::panic::catch_unwind::he2df7432e3edd4c8 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14 #31 0x55feb9ab21c0 in std::rt::lang_start_internal::h5f61065db59f0b57 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:20 #32 0x55fea4125834 in std::rt::lang_start::h61da8342616a5607 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:165:17 #33 0x55fea4119b34 in main (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x7a3b34) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d) #34 0x7f182996ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #35 0x7f182996ae3f in __libc_start_main csu/../csu/libc-start.c:392:3 #36 0x55fea40922b4 in _start (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x71c2b4) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d) Uninitialized value was stored to memory at #0 0x55fea40985ea in __msan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1729:3 #1 0x55feba1ace96 in core::intrinsics::copy_nonoverlapping::h8c3e31a7d8d2ac35 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/intrinsics.rs:2806:9 #2 0x55feba1ace96 in alloc::vec::Vec$LT$T$C$A$GT$::append_elements::h74758734dd1a1ff2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:2037:18 Uninitialized value was created by a heap allocation #0 0x55fea40a18d2 in malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1021:3 #1 0x55feb9f0ca01 in std::sys::pal::unix::alloc::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::alloc::ha2420e48755 [message truncated]
Wasmtime GitHub notifications bot (Feb 14 2024 at 03:22):khagankhan edited issue #7935:
Thanks for filing a bug report! Please fill out the TODOs below.
Note: if you want to report a security issue, please read our security policy!
Test Case
potential_bug.wat:
potential_bug.wat.txt
potential_bug.wasm:
potential_bug.wasm.txtThe test case:
cat potential_bug.wat:(module (memory $mem 1) (table 0 funcref) (elem (i32.const 0)) (func $main (export "_main") (result i32) (local $i32_storage i32) (local $i64_storage i64) (local $f32_storage f32) (local $f64_storage f64) (local $lift_2 i32) (local $lift_1 i32) local.get $lift_2 local.tee $lift_1 local.set $lift_1 i32.const 329 i32.const 682 i32.load16_s offset=94 align=1 i32.const 639 i32.load8_u offset=90 align=1 i32.shl i32.sub))Steps to Reproduce
- First, build
wasmtimewith necessary flags:git clone --recursive https://github.com/bytecodealliance/wasmtime.git cd wasmtime RUSTFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' RUSTDOCFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' cargo build -Zbuild-std --target x86_64-unknown-linux-gnu
Second, make the test case ready:
wat2wasm potential_bug.wat -o potential_bug.wasm
You can just downloadpotential_bug.wasmthat I have added in the beginning to avoid the above step. Please remove.txtextension when you download.watand.wasmfiles.Third, run the test case on wasmtime:
./target/x86_64-unknown-linux-gnu/debug/wasmtime potential_bug.wasmExpected Results
Wasmtime should execute the WebAssembly module without encountering uninitialized memory use issues, ensuring all memory operations are safely handled.
For example, with the same procedure of building
wasmisuccessfully runs the test case:root@node0:/users/khan22/wasmoi/fuzz/wasmi# ./target/x86_64-unknown-linux-gnu/debug/wasmi_cli potential_bug.wasm --invoke _main executing File("potential_bug.wasm")::_main() ... 329Actual Results
Sanitizer gives warning and AFL++ takes it as a crash. Here is the sanitizer output:
root@node0:/users/khan22/wasmoi/fuzz/wasmtime# ./target/x86_64-unknown-linux-gnu/debug/wasmtime potential_bug.wasm Uninitialized bytes in write at offset 0 inside [0x71a000000c00, 1389) ==99529==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55feb9f69cec in std::sys::pal::unix::fd::FileDesc::write::ha3fc832500e5c238 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fd.rs:264:13 #1 0x55feb9c28850 in std::sys::pal::unix::fs::File::write::h41198bef047dc205 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fs.rs:1255:9 #2 0x55feb9b58e4d in _$LT$$RF$std..fs..File$u20$as$u20$std..io..Write$GT$::write::haa08d98cd48c315b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:793:9 #3 0x55feb9b5985d in _$LT$std..fs..File$u20$as$u20$std..io..Write$GT$::write::h854811752eb88ea7 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:842:9 #4 0x55feb9b5e664 in std::io::Write::write_all::hded388dcb1f163a2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/mod.rs:1714:19 #5 0x55feb595c7fa in wasmtime_cache::fs_write_atomic::_$u7b$$u7b$closure$u7d$$u7d$::h7b8f9b0146604dc3 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:229:30 #6 0x55feb57a2db5 in core::result::Result$LT$T$C$E$GT$::and_then::h24c16bdee1bf274d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/result.rs:1320:22 #7 0x55feb56ea363 in wasmtime_cache::fs_write_atomic::h61d37a247ffb4a3b /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:225:5 #8 0x55feb56e8836 in wasmtime_cache::ModuleCacheEntryInner::update_data::h7a26a86ac4b18b69 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:196:15 #9 0x55feb050e526 in wasmtime_cache::ModuleCacheEntry::get_data_raw::h0e0ce5e69d9bf477 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:101:16 #10 0x55feb00ece98 in wasmtime::runtime::module::Module::from_binary::he3ce7e6771eab48a /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:343:46 #11 0x55fea8d822c3 in wasmtime::runtime::module::Module::new::h7d945685bf10fea3 /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:245:9 #12 0x55fea5c34f5d in wasmtime_cli::common::RunCommon::load_module_contents::h16c473648fed03ba /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:210:47 #13 0x55fea5a4a12b in wasmtime_cli::common::RunCommon::load_module::h37377c99e08814f3 /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:143:24 #14 0x55fea91d97fc in wasmtime_cli::commands::run::RunCommand::execute::h9d0ccf838554191f /users/khan22/wasmoi/fuzz/wasmtime/src/commands/run.rs:133:20 #15 0x55fea411011c in wasmtime::Wasmtime::execute::ha7c5e9271a89675e /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:83:35 #16 0x55fea410a42f in wasmtime::old_cli::main::hd579db9ac12dc4cd /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:178:28 #17 0x55fea4110365 in wasmtime::main::h814a31c86eda7736 /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:108:12 #18 0x55fea412cb75 in core::ops::function::FnOnce::call_once::hf1d12be993795a4b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5 #19 0x55fea411d27f in std::sys_common::backtrace::__rust_begin_short_backtrace::hb713405373e5f485 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:155:18 #20 0x55fea41259c9 in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::had0d421972d35716 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:166:18 #21 0x55feb993f122 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h552cf6c368aa488d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:284:13 #22 0x55feb991cca5 in std::panicking::try::do_call::h27b746885389faf6 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40 #23 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02 #24 0x55feb99199ac in std::panicking::try::h5c538a58f332d352 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19 #25 0x55feb9beaaca in std::panic::catch_unwind::hacc2bca7f2a4ae46 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14 #26 0x55feb9ab2828 in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h6a0336a05b99c435 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:48 #27 0x55feb991d088 in std::panicking::try::do_call::h8855f39db5a0a436 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40 #28 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02 #29 0x55feb991af58 in std::panicking::try::hb52674eb58a96b04 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19 #30 0x55feb9beac1a in std::panic::catch_unwind::he2df7432e3edd4c8 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14 #31 0x55feb9ab21c0 in std::rt::lang_start_internal::h5f61065db59f0b57 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:20 #32 0x55fea4125834 in std::rt::lang_start::h61da8342616a5607 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:165:17 #33 0x55fea4119b34 in main (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x7a3b34) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d) #34 0x7f182996ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #35 0x7f182996ae3f in __libc_start_main csu/../csu/libc-start.c:392:3 #36 0x55fea40922b4 in _start (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x71c2b4) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d) Uninitialized value was stored to memory at #0 0x55fea40985ea in __msan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1729:3 #1 0x55feba1ace96 in core::intrinsics::copy_nonoverlapping::h8c3e31a7d8d2ac35 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/intrinsics.rs:2806:9 #2 0x55feba1ace96 in alloc::vec::Vec$LT$T$C$A$GT$::append_elements::h74758734dd1a1ff2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:2037:18 Uninitialized value was created by a heap allocation #0 0x55fea40a18d2 in malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1021:3 #1 0x55feb9f0ca01 in std::sys::pal::unix::alloc::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::alloc::ha2420e48755 [message truncated]
Wasmtime GitHub notifications bot (Feb 14 2024 at 15:09):alexcrichton commented on issue #7935:
Thanks for the report, but I believe that this is a false positive. MemorySanitizer in my experience requires the entire world to be built with msan, which while your build command covers the Rust standard library it doesn't cover the C libraries that Wasmtime uses, notably zstd for the caching that is implemented (which is what this report is coming from). I tried locally to build zstd with
-fsanitize=memoryto see what happened but I got a different error which looked like a false positive in zstd itself. Overall my guess is that msan may not work well on Wasmtime.
Wasmtime GitHub notifications bot (Feb 14 2024 at 16:12):khagankhan closed issue #7935:
Thanks for filing a bug report! Please fill out the TODOs below.
Note: if you want to report a security issue, please read our security policy!
Test Case
potential_bug.wat:
potential_bug.wat.txt
potential_bug.wasm:
potential_bug.wasm.txtThe test case:
cat potential_bug.wat:(module (memory $mem 1) (table 0 funcref) (elem (i32.const 0)) (func $main (export "_main") (result i32) (local $i32_storage i32) (local $i64_storage i64) (local $f32_storage f32) (local $f64_storage f64) (local $lift_2 i32) (local $lift_1 i32) local.get $lift_2 local.tee $lift_1 local.set $lift_1 i32.const 329 i32.const 682 i32.load16_s offset=94 align=1 i32.const 639 i32.load8_u offset=90 align=1 i32.shl i32.sub))Steps to Reproduce
- First, build
wasmtimewith necessary flags:git clone --recursive https://github.com/bytecodealliance/wasmtime.git cd wasmtime RUSTFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' RUSTDOCFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' cargo build -Zbuild-std --target x86_64-unknown-linux-gnu
Second, make the test case ready:
wat2wasm potential_bug.wat -o potential_bug.wasm
You can just downloadpotential_bug.wasmthat I have added in the beginning to avoid the above step. Please remove.txtextension when you download.watand.wasmfiles.Third, run the test case on wasmtime:
./target/x86_64-unknown-linux-gnu/debug/wasmtime potential_bug.wasmExpected Results
Wasmtime should execute the WebAssembly module without encountering uninitialized memory use issues, ensuring all memory operations are safely handled.
For example, with the same procedure of building
wasmisuccessfully runs the test case:root@node0:/users/khan22/wasmoi/fuzz/wasmi# ./target/x86_64-unknown-linux-gnu/debug/wasmi_cli potential_bug.wasm --invoke _main executing File("potential_bug.wasm")::_main() ... 329Actual Results
Sanitizer gives warning and AFL++ takes it as a crash. Here is the sanitizer output:
root@node0:/users/khan22/wasmoi/fuzz/wasmtime# ./target/x86_64-unknown-linux-gnu/debug/wasmtime potential_bug.wasm Uninitialized bytes in write at offset 0 inside [0x71a000000c00, 1389) ==99529==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55feb9f69cec in std::sys::pal::unix::fd::FileDesc::write::ha3fc832500e5c238 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fd.rs:264:13 #1 0x55feb9c28850 in std::sys::pal::unix::fs::File::write::h41198bef047dc205 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fs.rs:1255:9 #2 0x55feb9b58e4d in _$LT$$RF$std..fs..File$u20$as$u20$std..io..Write$GT$::write::haa08d98cd48c315b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:793:9 #3 0x55feb9b5985d in _$LT$std..fs..File$u20$as$u20$std..io..Write$GT$::write::h854811752eb88ea7 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:842:9 #4 0x55feb9b5e664 in std::io::Write::write_all::hded388dcb1f163a2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/mod.rs:1714:19 #5 0x55feb595c7fa in wasmtime_cache::fs_write_atomic::_$u7b$$u7b$closure$u7d$$u7d$::h7b8f9b0146604dc3 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:229:30 #6 0x55feb57a2db5 in core::result::Result$LT$T$C$E$GT$::and_then::h24c16bdee1bf274d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/result.rs:1320:22 #7 0x55feb56ea363 in wasmtime_cache::fs_write_atomic::h61d37a247ffb4a3b /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:225:5 #8 0x55feb56e8836 in wasmtime_cache::ModuleCacheEntryInner::update_data::h7a26a86ac4b18b69 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:196:15 #9 0x55feb050e526 in wasmtime_cache::ModuleCacheEntry::get_data_raw::h0e0ce5e69d9bf477 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:101:16 #10 0x55feb00ece98 in wasmtime::runtime::module::Module::from_binary::he3ce7e6771eab48a /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:343:46 #11 0x55fea8d822c3 in wasmtime::runtime::module::Module::new::h7d945685bf10fea3 /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:245:9 #12 0x55fea5c34f5d in wasmtime_cli::common::RunCommon::load_module_contents::h16c473648fed03ba /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:210:47 #13 0x55fea5a4a12b in wasmtime_cli::common::RunCommon::load_module::h37377c99e08814f3 /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:143:24 #14 0x55fea91d97fc in wasmtime_cli::commands::run::RunCommand::execute::h9d0ccf838554191f /users/khan22/wasmoi/fuzz/wasmtime/src/commands/run.rs:133:20 #15 0x55fea411011c in wasmtime::Wasmtime::execute::ha7c5e9271a89675e /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:83:35 #16 0x55fea410a42f in wasmtime::old_cli::main::hd579db9ac12dc4cd /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:178:28 #17 0x55fea4110365 in wasmtime::main::h814a31c86eda7736 /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:108:12 #18 0x55fea412cb75 in core::ops::function::FnOnce::call_once::hf1d12be993795a4b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5 #19 0x55fea411d27f in std::sys_common::backtrace::__rust_begin_short_backtrace::hb713405373e5f485 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:155:18 #20 0x55fea41259c9 in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::had0d421972d35716 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:166:18 #21 0x55feb993f122 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h552cf6c368aa488d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:284:13 #22 0x55feb991cca5 in std::panicking::try::do_call::h27b746885389faf6 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40 #23 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02 #24 0x55feb99199ac in std::panicking::try::h5c538a58f332d352 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19 #25 0x55feb9beaaca in std::panic::catch_unwind::hacc2bca7f2a4ae46 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14 #26 0x55feb9ab2828 in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h6a0336a05b99c435 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:48 #27 0x55feb991d088 in std::panicking::try::do_call::h8855f39db5a0a436 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40 #28 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02 #29 0x55feb991af58 in std::panicking::try::hb52674eb58a96b04 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19 #30 0x55feb9beac1a in std::panic::catch_unwind::he2df7432e3edd4c8 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14 #31 0x55feb9ab21c0 in std::rt::lang_start_internal::h5f61065db59f0b57 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:20 #32 0x55fea4125834 in std::rt::lang_start::h61da8342616a5607 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:165:17 #33 0x55fea4119b34 in main (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x7a3b34) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d) #34 0x7f182996ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #35 0x7f182996ae3f in __libc_start_main csu/../csu/libc-start.c:392:3 #36 0x55fea40922b4 in _start (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x71c2b4) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d) Uninitialized value was stored to memory at #0 0x55fea40985ea in __msan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1729:3 #1 0x55feba1ace96 in core::intrinsics::copy_nonoverlapping::h8c3e31a7d8d2ac35 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/intrinsics.rs:2806:9 #2 0x55feba1ace96 in alloc::vec::Vec$LT$T$C$A$GT$::append_elements::h74758734dd1a1ff2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:2037:18 Uninitialized value was created by a heap allocation #0 0x55fea40a18d2 in malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1021:3 #1 0x55feb9f0ca01 in std::sys::pal::unix::alloc::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::alloc::ha2420e48755 [message truncated]
Wasmtime GitHub notifications bot (Feb 14 2024 at 16:12):khagankhan commented on issue #7935:
Hi, thanks for discussing further! It makes sense. I also built it with ‘-fsanitize=memory’ and experienced the same. I was also thinking that was more likely to be false positive since msan documentation also says so.
Thanks again for discussing this further! I am closing the issue with this comment!
Last updated: Nov 22 2024 at 17:03 UTC