[Webkit-unassigned] [Bug 282594] New: ASSERTION FAILED: encValue <= UINT32_MAX

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 5 03:49:06 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=282594

            Bug ID: 282594
           Summary: ASSERTION FAILED: encValue <= UINT32_MAX
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: xiangwei1895 at gmail.com

Created attachment 473143

  --> https://bugs.webkit.org/attachment.cgi?id=473143&action=review

This file can be usd to reproduce the issue.

I. Summary
A potential integer overflow issue was discovered in WebAssembly's array.new instruction when executed through the slow path. When the array size is calculated through multiplication(Or other operations) that exceeds I32 range, it triggers an assertion failure in the slow path implementation, although memory allocation protections prevent actual exploitation.

II. Root cause:
The multiplication result exceeds I32 range but is preserved in register without truncation.
This value flows directly into the slow path arrayNew function.

PoC:
```
load('./wasm-module-builder.js');
const builder = new WasmModuleBuilder();
let $array0 = builder.addArray(kWasmI32, true, kNoSuperType, false);
let main = builder.addFunction(undefined, kSig_i_iii)
  .exportAs('main')
  .addBody([
    ...wasmI32Const(4294967295),   
    ...wasmI32Const(2), 
    kExprI32Mul, 
    ...wasmI32Const(0),
    kGCPrefix, kExprArrayNew, $array0,
    kExprLocalGet, 0,
    kGCPrefix, kExprArrayGet, $array0,
  ]);
const instance = builder.instantiate({});
```

bt:
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313248192) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737313248192) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737313248192, signo=signo at entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff5944476 in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff592a7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x0000555556a6e4fb in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:912
#6  0x0000555558aadcbe in JSC::Wasm::arrayNew (instance=0x7fffec0d4708, typeIndex=0, size=2, encValue=140737488355326)
    at /data/workspace/WebKit/Source/JavaScriptCore/wasm/WasmOperationsInlines.h:96
#7  0x0000555558d268fe in slow_path_wasm_array_new (callFrame=0x7fffffffcc10, pc=0x7fffec168125, instance=0x7fffec0d4708)
    at /data/workspace/WebKit/Source/JavaScriptCore/wasm/WasmSlowPaths.cpp:442
#8  0x0000555556defc4b in wasm_array_new ()
#...
instance.exports.main(1, 2, 3);

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241105/6ed6ffa2/attachment-0001.htm>

More information about the webkit-unassigned mailing list