Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

call_indirect not sandboxed properly #76

Open
zyedidia opened this issue Jul 27, 2023 · 3 comments
Open

call_indirect not sandboxed properly #76

zyedidia opened this issue Jul 27, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@zyedidia
Copy link

zyedidia commented Jul 27, 2023
edited
Loading

I noticed that the translation of call_indirect has no dynamic checking needed to enforce sandboxing. For example, this program causes a segmentation fault:

(module
    (memory (;0;) 2)
    (export "memory" (memory 0))
    (type $fntype (func (result i32)))
    (table 32 funcref)
    (func (export "_start") (type $fntype)
        (call_indirect (type $fntype) (i32.const 33))
    )
)

The indirect call gets translated to this:

#define TF(table, index, t) ((t)((table).data[index]))
U32 f0(testInstance*i) {
U32 si0;
si0=33U;
si0=TF(i->t0,si0,U32 (*)(testInstance*))(i);
L0:;
return si0;
}

which directly accesses the function in the table at the requested index and calls it without any checking.

I think there should be several checks:

  • The index must be in the bounds of the table.
  • The function at the requested index must not be null.
  • The type of the function being called must match the requested call_indirect signature.

I think the indirect call tests may be getting skipped due to an unsupported global export, but haven't looked into it.

If w2c2 is intended to be used for sandboxing then this is a vulnerability (if not, then the readme should clearly indicate that this tool is not safe to use for sandboxing).

It also looks like w2c2 does not support indirect calls across multiple modules, even in multi-module mode. Is that correct?

Thanks!
@turbolent
Copy link
Owner

At the moment, w2c2 just translates WebAssembly to C, it does not (yet) have any support for sandboxing translated modules.

Support for sandboxing is not intentionally unavailable, but so far I have not needed it yet – support for sandboxing could be added, and PRs are very welcome! wasm2c employs some techniques that could be ported to w2c2.

@turbolent turbolent added the enhancement New feature or request label Jul 29, 2023
@turbolent
Copy link
Owner

It also looks like w2c2 does not support indirect calls across multiple modules, even in multi-module mode. Is that correct?

How would that look like? Do you have an example?

@zyedidia
Copy link
Author

I don’t have an example on hand at the moment but I think it’s possible to import a function from another module and then put it in an indirect function table. I was mostly looking at the differences between w2c2 and wasm2c and noticed that in wasm2c indirect function calls may use a different target module than the current module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@turbolent @zyedidia