https://support.apple.com/en-us/HT201222
https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments
https://technet.microsoft.com/en-us/security/dn469163
https://source.android.com/security/overview/acknowledgements
When translating an offset to wasm memory for a reference, the bounds check is as following:
At wavm.hpp, line 585:
if(!mem || ptr+sizeof(T) >= IR::numBytesPerPage*Runtime::getMemoryNumPages(mem))
Runtime::causeException(Exception::Cause::accessViolation);
Here |ptr|'s type is I32, which means it can be a negative value, so in the below situation when
-sizeof(T) < ptr < 0, ptr+sizeof(T) will be a very small value which can bypass this check,
And later,
T &base = (T)(getMemoryBaseAddress(mem)+ptr);
|base| will points beyond the wasm memory base, which means we can read/write beyond the wasm memory buffer.
This is a submission to the EOS bug bounty program.
This bug credits to:
Yuki Chen of Qihoo 360 Vulcan Team.
Thank you!
Hi,
In function array_ptr_impl in Binaryen.hpp:
template
inline array_ptr array_ptr_impl (interpreter_interface* interface, uint32_t ptr, uint32_t length)
{
return array_ptr((T*)(interface->get_validated_pointer(ptr, length * (uint32_t)sizeof(T))));
}
Here we have full control of the |length| parameter, in 32-bits process, length * (uint32_t)sizeof(T) could overflow 32-bits integer range and results in a very small value, which then bypasses the boundary check in get_validated_pointer and returns an over-sized array_ptr.
Then we can read/write out of the bounds of the wasm memory buffer with this over-sized array_ptr.
This is a submission to EOS bug bounty program.
This bug credits to:
Yuki Chen of Qihoo 360 Vulcan Team.
Thank you!
Hi,
There is a stack overflow bug in json parser when parsing nesting objects.
There is a function named check_string_depth to handle such situation, it tries to make sure the nesting objects' depth is less than 100.
However the check is vulnerable and we can bypass it.
How to test:
1.Start nodeos
2.Execute:
python post.py
to send malicious json rpc request.
3.Observe the crash
json.stack.overflow.zip
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.