Stream: git-wasmtime

Topic: wasmtime / issue #815 [lightbeam] add overflow in debug m...

view this post on Zulip Wasmtime GitHub notifications bot (Sep 27 2021 at 17:30):

alexcrichton commented on issue #815:

Lightbeam was removed in https://github.com/bytecodealliance/wasmtime/pull/3390 as explained in RFC 14, so I'm going to close this.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 27 2021 at 17:30):

alexcrichton closed issue #815:

Issue description

An addition with overflow make lightbeam to panic when compiled in debug mode.

Note: This issue is similar to https://github.com/bytecodealliance/wasmtime/issues/738. I suspect other overflows like those ones to be in the code.

Overflowed values are then provided to dynasm, meaning that in release mode, Lightbeam will generate Assembly code that will try to access invalid memory address (like 0x0, kernel address, etc.) leading to different errors/panics.

$ ./target/debug/debug_lightbeam load_add_overflow_lightbeam.wasm
thread 'main' panicked at 'attempt to add with overflow', XXX/wasmtime/crates/lightbeam/src/backend.rs:1934:106
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

This issue is related to the macro load! when dealing with the i32.load16_s opcode:

https://github.com/bytecodealliance/wasmtime/blob/420dcd76fd0d684291901c7a6afeb481481dea7e/crates/lightbeam/src/backend.rs#L1932-L1935

Reproduction

Download:
load_add_overflow_lightbeam.zip

or wasm2wat load_add_overflow_lightbeam.wasm :

(module
  (type (;0;) (func))
  (func (;0;) (type 0)
    i32.const 2
    i32.const 1
    i32.load16_s offset=2147483647 align=1
    unreachable)
  (memory (;0;) 1)
  (export "_start" (func 0))
)

Testing program (need to be compiled in debug mode i.e. RUSTFLAGS=-g cargo build):

use std::env;
use std::fs::{File};
use std::io;
use std::io::Read;
use std::path::PathBuf;

use wasmtime_fuzzing::oracles;
use wasmtime_jit::CompilationStrategy;

/// Read the contents of a file
fn read_contents(path: &PathBuf) -> Result<Vec<u8>, io::Error> {
    let mut buffer: Vec<u8> = Vec::new();
    let mut file = File::open(path)?;
    file.read_to_end(&mut buffer)?;
    drop(file);
    Ok(buffer)
}

fn main() {
    let args: Vec<String> = env::args().collect();
    let wasm_path = std::path::PathBuf::from(&args[1]);
    let wasm_binary: Vec<u8> = read_contents(&wasm_path).unwrap();

    let _res_compile = oracles::compile(&wasm_binary[..], CompilationStrategy::Lightbeam);
}

wasmtime commit: 420dcd76fd0d684291901c7a6afeb481481dea7e

Last updated: Oct 23 2024 at 20:03 UTC