New issue
Advanced search Search tips
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 6
Cc:



Sign in to add a comment

WebKit: WebAssembly parsing does not correctly check section order

Project Member Reported by natashenka@google.com, Jan 27 Back to list

Issue description

When a WebAssembly binary is parsed in ModuleParser::parse, it is expected to contain certain sections in a certain order, but can also contain custom sections that can appear anywhere in the binary. The ordering check validateOrder() does not adequately check that sections are in the correct order when a binary contains custom sections.

static inline bool validateOrder(Section previous, Section next)
{
    if (previous == Section::Custom)
        return true;
    return static_cast<uint8_t>(previous) < static_cast<uint8_t>(next);
}

If the previous section was a custom section, the check always returns true, even if the section is otherwise out of order. This means any number of sections can be parsed from a binary, any number of times in any order. This leads to a number of possible overflows and type confusion bugs, as parsing assumes most sections are unique and in the right order.

The attached html file causes a crash in Safari, the wasm file is attached as well. This particular use of the bug causes an overflow in the function vector.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
 
out.html
23.5 KB View Download
new.wasm
2.0 KB Download
Project Member

Comment 1 by natashenka@google.com, Jan 27

Filed in WebKit tracker as https://bugs.webkit.org/show_bug.cgi?id=182208
Project Member

Comment 2 by natashenka@google.com, Feb 21

Labels: -Reported-26-Jan-2018 Reported-2018-Jan-26
Project Member

Comment 3 by natashenka@google.com, Apr 2

This is CVE-2018-4121
Project Member

Comment 4 by natashenka@google.com, Apr 6

Labels: -Restrict-View-Commit
Status: Fixed
Shouldn't this have a CVE label?

Sign in to add a comment