New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 1522 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2018
Cc:



Sign in to add a comment

WebKit: WebAssembly parsing does not correctly check section order

Project Member Reported by natashenka@google.com, Jan 27 2018

Issue description

When a WebAssembly binary is parsed in ModuleParser::parse, it is expected to contain certain sections in a certain order, but can also contain custom sections that can appear anywhere in the binary. The ordering check validateOrder() does not adequately check that sections are in the correct order when a binary contains custom sections.

static inline bool validateOrder(Section previous, Section next)
{
    if (previous == Section::Custom)
        return true;
    return static_cast<uint8_t>(previous) < static_cast<uint8_t>(next);
}

If the previous section was a custom section, the check always returns true, even if the section is otherwise out of order. This means any number of sections can be parsed from a binary, any number of times in any order. This leads to a number of possible overflows and type confusion bugs, as parsing assumes most sections are unique and in the right order.

The attached html file causes a crash in Safari, the wasm file is attached as well. This particular use of the bug causes an overflow in the function vector.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
 
out.html
23.5 KB View Download
new.wasm
2.0 KB Download
Project Member

Comment 1 by natashenka@google.com, Jan 27 2018

Filed in WebKit tracker as https://bugs.webkit.org/show_bug.cgi?id=182208
Project Member

Comment 2 by natashenka@google.com, Feb 21 2018

Labels: -Reported-26-Jan-2018 Reported-2018-Jan-26
Project Member

Comment 3 by natashenka@google.com, Apr 2 2018

This is CVE-2018-4121
Project Member

Comment 4 by natashenka@google.com, Apr 6 2018

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Shouldn't this have a CVE label?

Sign in to add a comment