Stream: git-wasmtime

Topic: wasmtime / issue #7935 Potential Bug: Uninitialized Memor...


view this post on Zulip Wasmtime GitHub notifications bot (Feb 14 2024 at 02:47):

khagankhan added the bug label to Issue #7935.

view this post on Zulip Wasmtime GitHub notifications bot (Feb 14 2024 at 02:47):

khagankhan opened issue #7935:

Thanks for filing a bug report! Please fill out the TODOs below.

Note: if you want to report a security issue, please read our security policy!

Test Case

potential_bug.wat:
potential_bug.wat.txt

potential_bug.wasm:
potential_bug.wasm.txt

The test case:

cat potential_bug.wat:

(module (memory $mem 1) (table 0 funcref)
   (elem (i32.const 0))
   (func
    $main
    (export "_main")
    (result i32)
    (local $i32_storage i32)
    (local $i64_storage i64)
    (local $f32_storage f32)
    (local $f64_storage f64)
    (local $lift_2 i32)
    (local $lift_1 i32)
    local.get
    $lift_2
    local.tee
    $lift_1
    local.set
    $lift_1
    i32.const
    329
    i32.const
    682
    i32.load16_s
    offset=94
    align=1
    i32.const
    639
    i32.load8_u
    offset=90
    align=1
    i32.shl
    i32.sub))

Steps to Reproduce

git clone --recursive https://github.com/bytecodealliance/wasmtime.git
cd wasmtime
RUSTFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' RUSTDOCFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' cargo build -Zbuild-std --target x86_64-unknown-linux-gnu

Expected Results

Wasmtime should execute the WebAssembly module without encountering uninitialized memory use issues, ensuring all memory operations are safely handled.

For example, with the same procedure of building wasmi successfully runs the test case:

root@node0:/users/khan22/wasmoi/fuzz/wasmi# ./target/x86_64-unknown-linux-gnu/debug/wasmi_cli potential_bug.wasm --invoke _main
executing File("potential_bug.wasm")::_main() ...
329

Actual Results

Sanitizer gives warning and AFL++ takes it as a crash. Here is the sanitizer output:

root@node0:/users/khan22/wasmoi/fuzz/wasmtime# ./target/x86_64-unknown-linux-gnu/debug/wasmtime potential_bug.wasm
Uninitialized bytes in write at offset 0 inside [0x71a000000c00, 1389)
==99529==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55feb9f69cec in std::sys::pal::unix::fd::FileDesc::write::ha3fc832500e5c238 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fd.rs:264:13
    #1 0x55feb9c28850 in std::sys::pal::unix::fs::File::write::h41198bef047dc205 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fs.rs:1255:9
    #2 0x55feb9b58e4d in _$LT$$RF$std..fs..File$u20$as$u20$std..io..Write$GT$::write::haa08d98cd48c315b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:793:9
    #3 0x55feb9b5985d in _$LT$std..fs..File$u20$as$u20$std..io..Write$GT$::write::h854811752eb88ea7 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:842:9
    #4 0x55feb9b5e664 in std::io::Write::write_all::hded388dcb1f163a2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/mod.rs:1714:19
    #5 0x55feb595c7fa in wasmtime_cache::fs_write_atomic::_$u7b$$u7b$closure$u7d$$u7d$::h7b8f9b0146604dc3 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:229:30
    #6 0x55feb57a2db5 in core::result::Result$LT$T$C$E$GT$::and_then::h24c16bdee1bf274d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/result.rs:1320:22
    #7 0x55feb56ea363 in wasmtime_cache::fs_write_atomic::h61d37a247ffb4a3b /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:225:5
    #8 0x55feb56e8836 in wasmtime_cache::ModuleCacheEntryInner::update_data::h7a26a86ac4b18b69 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:196:15
    #9 0x55feb050e526 in wasmtime_cache::ModuleCacheEntry::get_data_raw::h0e0ce5e69d9bf477 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:101:16
    #10 0x55feb00ece98 in wasmtime::runtime::module::Module::from_binary::he3ce7e6771eab48a /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:343:46
    #11 0x55fea8d822c3 in wasmtime::runtime::module::Module::new::h7d945685bf10fea3 /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:245:9
    #12 0x55fea5c34f5d in wasmtime_cli::common::RunCommon::load_module_contents::h16c473648fed03ba /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:210:47
    #13 0x55fea5a4a12b in wasmtime_cli::common::RunCommon::load_module::h37377c99e08814f3 /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:143:24
    #14 0x55fea91d97fc in wasmtime_cli::commands::run::RunCommand::execute::h9d0ccf838554191f /users/khan22/wasmoi/fuzz/wasmtime/src/commands/run.rs:133:20
    #15 0x55fea411011c in wasmtime::Wasmtime::execute::ha7c5e9271a89675e /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:83:35
    #16 0x55fea410a42f in wasmtime::old_cli::main::hd579db9ac12dc4cd /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:178:28
    #17 0x55fea4110365 in wasmtime::main::h814a31c86eda7736 /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:108:12
    #18 0x55fea412cb75 in core::ops::function::FnOnce::call_once::hf1d12be993795a4b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
    #19 0x55fea411d27f in std::sys_common::backtrace::__rust_begin_short_backtrace::hb713405373e5f485 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:155:18
    #20 0x55fea41259c9 in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::had0d421972d35716 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:166:18
    #21 0x55feb993f122 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h552cf6c368aa488d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:284:13
    #22 0x55feb991cca5 in std::panicking::try::do_call::h27b746885389faf6 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40
    #23 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02
    #24 0x55feb99199ac in std::panicking::try::h5c538a58f332d352 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19
    #25 0x55feb9beaaca in std::panic::catch_unwind::hacc2bca7f2a4ae46 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14
    #26 0x55feb9ab2828 in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h6a0336a05b99c435 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:48
    #27 0x55feb991d088 in std::panicking::try::do_call::h8855f39db5a0a436 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40
    #28 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02
    #29 0x55feb991af58 in std::panicking::try::hb52674eb58a96b04 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19
    #30 0x55feb9beac1a in std::panic::catch_unwind::he2df7432e3edd4c8 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14
    #31 0x55feb9ab21c0 in std::rt::lang_start_internal::h5f61065db59f0b57 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:20
    #32 0x55fea4125834 in std::rt::lang_start::h61da8342616a5607 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:165:17
    #33 0x55fea4119b34 in main (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x7a3b34) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d)
    #34 0x7f182996ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #35 0x7f182996ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #36 0x55fea40922b4 in _start (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x71c2b4) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d)

  Uninitialized value was stored to memory at
    #0 0x55fea40985ea in __msan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1729:3
    #1 0x55feba1ace96 in core::intrinsics::copy_nonoverlapping::h8c3e31a7d8d2ac35 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/intrinsics.rs:2806:9
    #2 0x55feba1ace96 in alloc::vec::Vec$LT$T$C$A$GT$::append_elements::h74758734dd1a1ff2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:2037:18

  Uninitialized value was created by a heap allocation
    #0 0x55fea40a18d2 in malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1021:3
    #1 0x55feb9f0ca01 in std::sys::pal::unix::alloc::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::alloc::ha2420e48755
[message truncated]

view this post on Zulip Wasmtime GitHub notifications bot (Feb 14 2024 at 03:22):

khagankhan edited issue #7935:

Thanks for filing a bug report! Please fill out the TODOs below.

Note: if you want to report a security issue, please read our security policy!

Test Case

potential_bug.wat:
potential_bug.wat.txt

potential_bug.wasm:
potential_bug.wasm.txt

The test case:

cat potential_bug.wat:

(module (memory $mem 1) (table 0 funcref)
   (elem (i32.const 0))
   (func
    $main
    (export "_main")
    (result i32)
    (local $i32_storage i32)
    (local $i64_storage i64)
    (local $f32_storage f32)
    (local $f64_storage f64)
    (local $lift_2 i32)
    (local $lift_1 i32)
    local.get
    $lift_2
    local.tee
    $lift_1
    local.set
    $lift_1
    i32.const
    329
    i32.const
    682
    i32.load16_s
    offset=94
    align=1
    i32.const
    639
    i32.load8_u
    offset=90
    align=1
    i32.shl
    i32.sub))

Steps to Reproduce

git clone --recursive https://github.com/bytecodealliance/wasmtime.git
cd wasmtime
RUSTFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' RUSTDOCFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' cargo build -Zbuild-std --target x86_64-unknown-linux-gnu

Expected Results

Wasmtime should execute the WebAssembly module without encountering uninitialized memory use issues, ensuring all memory operations are safely handled.

For example, with the same procedure of building wasmi successfully runs the test case:

root@node0:/users/khan22/wasmoi/fuzz/wasmi# ./target/x86_64-unknown-linux-gnu/debug/wasmi_cli potential_bug.wasm --invoke _main
executing File("potential_bug.wasm")::_main() ...
329

Actual Results

Sanitizer gives warning and AFL++ takes it as a crash. Here is the sanitizer output:

root@node0:/users/khan22/wasmoi/fuzz/wasmtime# ./target/x86_64-unknown-linux-gnu/debug/wasmtime potential_bug.wasm
Uninitialized bytes in write at offset 0 inside [0x71a000000c00, 1389)
==99529==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55feb9f69cec in std::sys::pal::unix::fd::FileDesc::write::ha3fc832500e5c238 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fd.rs:264:13
    #1 0x55feb9c28850 in std::sys::pal::unix::fs::File::write::h41198bef047dc205 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fs.rs:1255:9
    #2 0x55feb9b58e4d in _$LT$$RF$std..fs..File$u20$as$u20$std..io..Write$GT$::write::haa08d98cd48c315b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:793:9
    #3 0x55feb9b5985d in _$LT$std..fs..File$u20$as$u20$std..io..Write$GT$::write::h854811752eb88ea7 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:842:9
    #4 0x55feb9b5e664 in std::io::Write::write_all::hded388dcb1f163a2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/mod.rs:1714:19
    #5 0x55feb595c7fa in wasmtime_cache::fs_write_atomic::_$u7b$$u7b$closure$u7d$$u7d$::h7b8f9b0146604dc3 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:229:30
    #6 0x55feb57a2db5 in core::result::Result$LT$T$C$E$GT$::and_then::h24c16bdee1bf274d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/result.rs:1320:22
    #7 0x55feb56ea363 in wasmtime_cache::fs_write_atomic::h61d37a247ffb4a3b /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:225:5
    #8 0x55feb56e8836 in wasmtime_cache::ModuleCacheEntryInner::update_data::h7a26a86ac4b18b69 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:196:15
    #9 0x55feb050e526 in wasmtime_cache::ModuleCacheEntry::get_data_raw::h0e0ce5e69d9bf477 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:101:16
    #10 0x55feb00ece98 in wasmtime::runtime::module::Module::from_binary::he3ce7e6771eab48a /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:343:46
    #11 0x55fea8d822c3 in wasmtime::runtime::module::Module::new::h7d945685bf10fea3 /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:245:9
    #12 0x55fea5c34f5d in wasmtime_cli::common::RunCommon::load_module_contents::h16c473648fed03ba /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:210:47
    #13 0x55fea5a4a12b in wasmtime_cli::common::RunCommon::load_module::h37377c99e08814f3 /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:143:24
    #14 0x55fea91d97fc in wasmtime_cli::commands::run::RunCommand::execute::h9d0ccf838554191f /users/khan22/wasmoi/fuzz/wasmtime/src/commands/run.rs:133:20
    #15 0x55fea411011c in wasmtime::Wasmtime::execute::ha7c5e9271a89675e /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:83:35
    #16 0x55fea410a42f in wasmtime::old_cli::main::hd579db9ac12dc4cd /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:178:28
    #17 0x55fea4110365 in wasmtime::main::h814a31c86eda7736 /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:108:12
    #18 0x55fea412cb75 in core::ops::function::FnOnce::call_once::hf1d12be993795a4b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
    #19 0x55fea411d27f in std::sys_common::backtrace::__rust_begin_short_backtrace::hb713405373e5f485 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:155:18
    #20 0x55fea41259c9 in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::had0d421972d35716 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:166:18
    #21 0x55feb993f122 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h552cf6c368aa488d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:284:13
    #22 0x55feb991cca5 in std::panicking::try::do_call::h27b746885389faf6 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40
    #23 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02
    #24 0x55feb99199ac in std::panicking::try::h5c538a58f332d352 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19
    #25 0x55feb9beaaca in std::panic::catch_unwind::hacc2bca7f2a4ae46 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14
    #26 0x55feb9ab2828 in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h6a0336a05b99c435 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:48
    #27 0x55feb991d088 in std::panicking::try::do_call::h8855f39db5a0a436 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40
    #28 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02
    #29 0x55feb991af58 in std::panicking::try::hb52674eb58a96b04 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19
    #30 0x55feb9beac1a in std::panic::catch_unwind::he2df7432e3edd4c8 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14
    #31 0x55feb9ab21c0 in std::rt::lang_start_internal::h5f61065db59f0b57 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:20
    #32 0x55fea4125834 in std::rt::lang_start::h61da8342616a5607 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:165:17
    #33 0x55fea4119b34 in main (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x7a3b34) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d)
    #34 0x7f182996ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #35 0x7f182996ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #36 0x55fea40922b4 in _start (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x71c2b4) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d)

  Uninitialized value was stored to memory at
    #0 0x55fea40985ea in __msan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1729:3
    #1 0x55feba1ace96 in core::intrinsics::copy_nonoverlapping::h8c3e31a7d8d2ac35 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/intrinsics.rs:2806:9
    #2 0x55feba1ace96 in alloc::vec::Vec$LT$T$C$A$GT$::append_elements::h74758734dd1a1ff2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:2037:18

  Uninitialized value was created by a heap allocation
    #0 0x55fea40a18d2 in malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1021:3
    #1 0x55feb9f0ca01 in std::sys::pal::unix::alloc::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::alloc::ha2420e48755
[message truncated]

view this post on Zulip Wasmtime GitHub notifications bot (Feb 14 2024 at 15:09):

alexcrichton commented on issue #7935:

Thanks for the report, but I believe that this is a false positive. MemorySanitizer in my experience requires the entire world to be built with msan, which while your build command covers the Rust standard library it doesn't cover the C libraries that Wasmtime uses, notably zstd for the caching that is implemented (which is what this report is coming from). I tried locally to build zstd with -fsanitize=memory to see what happened but I got a different error which looked like a false positive in zstd itself. Overall my guess is that msan may not work well on Wasmtime.

view this post on Zulip Wasmtime GitHub notifications bot (Feb 14 2024 at 16:12):

khagankhan closed issue #7935:

Thanks for filing a bug report! Please fill out the TODOs below.

Note: if you want to report a security issue, please read our security policy!

Test Case

potential_bug.wat:
potential_bug.wat.txt

potential_bug.wasm:
potential_bug.wasm.txt

The test case:

cat potential_bug.wat:

(module (memory $mem 1) (table 0 funcref)
   (elem (i32.const 0))
   (func
    $main
    (export "_main")
    (result i32)
    (local $i32_storage i32)
    (local $i64_storage i64)
    (local $f32_storage f32)
    (local $f64_storage f64)
    (local $lift_2 i32)
    (local $lift_1 i32)
    local.get
    $lift_2
    local.tee
    $lift_1
    local.set
    $lift_1
    i32.const
    329
    i32.const
    682
    i32.load16_s
    offset=94
    align=1
    i32.const
    639
    i32.load8_u
    offset=90
    align=1
    i32.shl
    i32.sub))

Steps to Reproduce

git clone --recursive https://github.com/bytecodealliance/wasmtime.git
cd wasmtime
RUSTFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' RUSTDOCFLAGS='-Zsanitizer=memory -Zsanitizer-memory-track-origins' cargo build -Zbuild-std --target x86_64-unknown-linux-gnu

Expected Results

Wasmtime should execute the WebAssembly module without encountering uninitialized memory use issues, ensuring all memory operations are safely handled.

For example, with the same procedure of building wasmi successfully runs the test case:

root@node0:/users/khan22/wasmoi/fuzz/wasmi# ./target/x86_64-unknown-linux-gnu/debug/wasmi_cli potential_bug.wasm --invoke _main
executing File("potential_bug.wasm")::_main() ...
329

Actual Results

Sanitizer gives warning and AFL++ takes it as a crash. Here is the sanitizer output:

root@node0:/users/khan22/wasmoi/fuzz/wasmtime# ./target/x86_64-unknown-linux-gnu/debug/wasmtime potential_bug.wasm
Uninitialized bytes in write at offset 0 inside [0x71a000000c00, 1389)
==99529==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55feb9f69cec in std::sys::pal::unix::fd::FileDesc::write::ha3fc832500e5c238 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fd.rs:264:13
    #1 0x55feb9c28850 in std::sys::pal::unix::fs::File::write::h41198bef047dc205 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/pal/unix/fs.rs:1255:9
    #2 0x55feb9b58e4d in _$LT$$RF$std..fs..File$u20$as$u20$std..io..Write$GT$::write::haa08d98cd48c315b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:793:9
    #3 0x55feb9b5985d in _$LT$std..fs..File$u20$as$u20$std..io..Write$GT$::write::h854811752eb88ea7 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/fs.rs:842:9
    #4 0x55feb9b5e664 in std::io::Write::write_all::hded388dcb1f163a2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/mod.rs:1714:19
    #5 0x55feb595c7fa in wasmtime_cache::fs_write_atomic::_$u7b$$u7b$closure$u7d$$u7d$::h7b8f9b0146604dc3 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:229:30
    #6 0x55feb57a2db5 in core::result::Result$LT$T$C$E$GT$::and_then::h24c16bdee1bf274d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/result.rs:1320:22
    #7 0x55feb56ea363 in wasmtime_cache::fs_write_atomic::h61d37a247ffb4a3b /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:225:5
    #8 0x55feb56e8836 in wasmtime_cache::ModuleCacheEntryInner::update_data::h7a26a86ac4b18b69 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:196:15
    #9 0x55feb050e526 in wasmtime_cache::ModuleCacheEntry::get_data_raw::h0e0ce5e69d9bf477 /users/khan22/wasmoi/fuzz/wasmtime/crates/cache/src/lib.rs:101:16
    #10 0x55feb00ece98 in wasmtime::runtime::module::Module::from_binary::he3ce7e6771eab48a /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:343:46
    #11 0x55fea8d822c3 in wasmtime::runtime::module::Module::new::h7d945685bf10fea3 /users/khan22/wasmoi/fuzz/wasmtime/crates/wasmtime/src/runtime/module.rs:245:9
    #12 0x55fea5c34f5d in wasmtime_cli::common::RunCommon::load_module_contents::h16c473648fed03ba /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:210:47
    #13 0x55fea5a4a12b in wasmtime_cli::common::RunCommon::load_module::h37377c99e08814f3 /users/khan22/wasmoi/fuzz/wasmtime/src/common.rs:143:24
    #14 0x55fea91d97fc in wasmtime_cli::commands::run::RunCommand::execute::h9d0ccf838554191f /users/khan22/wasmoi/fuzz/wasmtime/src/commands/run.rs:133:20
    #15 0x55fea411011c in wasmtime::Wasmtime::execute::ha7c5e9271a89675e /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:83:35
    #16 0x55fea410a42f in wasmtime::old_cli::main::hd579db9ac12dc4cd /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:178:28
    #17 0x55fea4110365 in wasmtime::main::h814a31c86eda7736 /users/khan22/wasmoi/fuzz/wasmtime/src/bin/wasmtime.rs:108:12
    #18 0x55fea412cb75 in core::ops::function::FnOnce::call_once::hf1d12be993795a4b /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
    #19 0x55fea411d27f in std::sys_common::backtrace::__rust_begin_short_backtrace::hb713405373e5f485 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:155:18
    #20 0x55fea41259c9 in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::had0d421972d35716 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:166:18
    #21 0x55feb993f122 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h552cf6c368aa488d /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:284:13
    #22 0x55feb991cca5 in std::panicking::try::do_call::h27b746885389faf6 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40
    #23 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02
    #24 0x55feb99199ac in std::panicking::try::h5c538a58f332d352 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19
    #25 0x55feb9beaaca in std::panic::catch_unwind::hacc2bca7f2a4ae46 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14
    #26 0x55feb9ab2828 in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h6a0336a05b99c435 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:48
    #27 0x55feb991d088 in std::panicking::try::do_call::h8855f39db5a0a436 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:554:40
    #28 0x55feb9935649 in __rust_try std.122da28cd57439fb-cgu.02
    #29 0x55feb991af58 in std::panicking::try::hb52674eb58a96b04 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:518:19
    #30 0x55feb9beac1a in std::panic::catch_unwind::he2df7432e3edd4c8 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:142:14
    #31 0x55feb9ab21c0 in std::rt::lang_start_internal::h5f61065db59f0b57 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:20
    #32 0x55fea4125834 in std::rt::lang_start::h61da8342616a5607 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:165:17
    #33 0x55fea4119b34 in main (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x7a3b34) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d)
    #34 0x7f182996ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #35 0x7f182996ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #36 0x55fea40922b4 in _start (/users/khan22/wasmoi/fuzz/wasmtime/target/x86_64-unknown-linux-gnu/debug/wasmtime+0x71c2b4) (BuildId: 610286c5a0ebb039bcd5164e91b59e345b38330d)

  Uninitialized value was stored to memory at
    #0 0x55fea40985ea in __msan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1729:3
    #1 0x55feba1ace96 in core::intrinsics::copy_nonoverlapping::h8c3e31a7d8d2ac35 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/intrinsics.rs:2806:9
    #2 0x55feba1ace96 in alloc::vec::Vec$LT$T$C$A$GT$::append_elements::h74758734dd1a1ff2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:2037:18

  Uninitialized value was created by a heap allocation
    #0 0x55fea40a18d2 in malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1021:3
    #1 0x55feb9f0ca01 in std::sys::pal::unix::alloc::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::alloc::ha2420e48755
[message truncated]

view this post on Zulip Wasmtime GitHub notifications bot (Feb 14 2024 at 16:12):

khagankhan commented on issue #7935:

Hi, thanks for discussing further! It makes sense. I also built it with ‘-fsanitize=memory’ and experienced the same. I was also thinking that was more likely to be false positive since msan documentation also says so.

Thanks again for discussing this further! I am closing the issue with this comment!


Last updated: Dec 23 2024 at 13:07 UTC