https://support.apple.com/en-us/HT201222
https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments
https://technet.microsoft.com/en-us/security/dn469163
https://source.android.com/security/overview/acknowledgements
viccon's Introduction
viccon's People
Contributors
Watchers
viccon's Issues
test
WAVM: Incorrect bounds check when translating a reference type can results in buffer overrun
When translating an offset to wasm memory for a reference, the bounds check is as following:
At wavm.hpp, line 585:
if(!mem || ptr+sizeof(T) >= IR::numBytesPerPage*Runtime::getMemoryNumPages(mem))
Runtime::causeException(Exception::Cause::accessViolation);
Here |ptr|'s type is I32, which means it can be a negative value, so in the below situation when
-sizeof(T) < ptr < 0, ptr+sizeof(T) will be a very small value which can bypass this check,
And later,
T &base = (T)(getMemoryBaseAddress(mem)+ptr);
|base| will points beyond the wasm memory base, which means we can read/write beyond the wasm memory buffer.
This is a submission to the EOS bug bounty program.
This bug credits to:
Yuki Chen of Qihoo 360 Vulcan Team.
Thank you!
Binaryen: array_ptr_impl can cause buffer overflow in 32-bits build
Hi,
In function array_ptr_impl in Binaryen.hpp:
template
inline array_ptr array_ptr_impl (interpreter_interface* interface, uint32_t ptr, uint32_t length)
{
return array_ptr((T*)(interface->get_validated_pointer(ptr, length * (uint32_t)sizeof(T))));
}
Here we have full control of the |length| parameter, in 32-bits process, length * (uint32_t)sizeof(T) could overflow 32-bits integer range and results in a very small value, which then bypasses the boundary check in get_validated_pointer and returns an over-sized array_ptr.
Then we can read/write out of the bounds of the wasm memory buffer with this over-sized array_ptr.
This is a submission to EOS bug bounty program.
This bug credits to:
Yuki Chen of Qihoo 360 Vulcan Team.
Thank you!
Parsing nesting objects in JSON results in segment fault
Hi,
There is a stack overflow bug in json parser when parsing nesting objects.
There is a function named check_string_depth to handle such situation, it tries to make sure the nesting objects' depth is less than 100.
However the check is vulnerable and we can bypass it.
How to test:
1.Start nodeos
2.Execute:
python post.py
to send malicious json rpc request.
3.Observe the crash
json.stack.overflow.zip
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.