[BUG] Assertion in_function_body failed in function LogOpcode at src/binary-reader-objdump.cc:661

[JJLeo]

Description

• Version: Latest commit a60eb26
• Environment:Ubuntu 20.04.6 LTS, Clang 18.1.8

Steps to reproduce

export CC="clang"
export CXX="clang++"
export CFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export CXXFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer -stdlib=libc++"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"

mkdir build
cd build
cmake ..  -DBUILD_TESTS=OFF
cmake --build . --parallel
cd ..

wget https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/wabt/wasm_objdump_fuzzer.cc
$CXX $CXXFLAGS -std=c++17 -I. -Ibuild -Ibuild/include -Iinclude ./wasm_objdump_fuzzer.cc \
        ./src/binary-reader-objdump.cc $LIB_FUZZING_ENGINE ./build/libwabt.a \
        -o ./wasm_objdump_fuzzer
wget https://github.com/user-attachments/files/19529411/wabt_crash.txt
./wasm_objdump_fuzzer wasm_crash.txt

Sanitizer output

root@d2e345339c4a:/src/wabt# ./wasm_objdump_fuzzer /root/wabt_crash.in 
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1467574552
INFO: Loaded 1 modules   (2382 inline 8-bit counters): 2382 [0x619f05b0c758, 0x619f05b0d0a6), 
INFO: Loaded 1 PC tables (2382 PCs): 2382 [0x619f05b0d0a8,0x619f05b16588), 
./wasm_objdump_fuzzer: Running 1 inputs 1 time(s) each.
Running: /root/wabt_crash.in
dummy:  file format wasm 0x1
000000a: error: invalid section code: 48
000003c: error: invalid section code: 48
0000046: error: invalid section code: 48
0000050: error: invalid load alignment: 48

Sections:

     Elem start=0x00000049 end=0x00000051 (size=0x00000008) count: 1

Section Details:

Elem[1]:

Code Disassembly:

wasm_objdump_fuzzer: ./src/binary-reader-objdump.cc:661: void wabt::(anonymous namespace)::BinaryReaderObjdumpDisassemble::LogOpcode(const char *, ...): Assertion `in_function_body' failed.
==39484== ERROR: libFuzzer: deadly signal
    #0 0x619f05801221 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x619f057061b8 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x619f056e9553 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
    #3 0x7699ff50041f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 5cfb896dd40f90aa8c6c8bb856004d1f5cfe293c)
    #4 0x7699ff2f400a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
    #5 0x7699ff2d3858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
    #6 0x7699ff2d3728  (/lib/x86_64-linux-gnu/libc.so.6+0x22728) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
    #7 0x7699ff2e4fd5 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x33fd5) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
    #8 0x619f0587bee6 in wabt::(anonymous namespace)::BinaryReaderObjdumpDisassemble::LogOpcode(char const*, ...) /src/wabt/./src/binary-reader-objdump.cc:661:3
    #9 0x619f05875c30 in wabt::(anonymous namespace)::BinaryReaderObjdumpDisassemble::OnCallIndirectExpr(unsigned int, unsigned int) /src/wabt/./src/binary-reader-objdump.cc:829:5
    #10 0x619f058be75f in wabt::(anonymous namespace)::BinaryReader::ReadInstructions(unsigned long, char const*) /src/wabt/src/binary-reader.cc:957:9
    #11 0x619f058b8feb in wabt::(anonymous namespace)::BinaryReader::ReadInitExpr(unsigned int) /src/wabt/src/binary-reader.cc:600:3
    #12 0x619f058a6f48 in wabt::(anonymous namespace)::BinaryReader::ReadElemSection(unsigned long) /src/wabt/src/binary-reader.cc:2812:7
    #13 0x619f0589e89b in wabt::(anonymous namespace)::BinaryReader::ReadSections(wabt::(anonymous namespace)::BinaryReader::ReadSectionsOptions const&) /src/wabt/src/binary-reader.cc:3041:26
    #14 0x619f0589ccd9 in wabt::(anonymous namespace)::BinaryReader::ReadModule(wabt::(anonymous namespace)::BinaryReader::ReadModuleOptions const&) /src/wabt/src/binary-reader.cc:3119:3
    #15 0x619f0589bfa9 in wabt::ReadBinary(void const*, unsigned long, wabt::BinaryReaderDelegate*, wabt::ReadBinaryOptions const&) /src/wabt/src/binary-reader.cc:3141:17
    #16 0x619f0583e0cf in wabt::ReadBinaryObjdump(unsigned char const*, unsigned long, wabt::ObjdumpOptions*, wabt::ObjdumpState*) /src/wabt/./src/binary-reader-objdump.cc:2512:14
    #17 0x619f058361d0 in LLVMFuzzerTestOneInput /src/wabt/./wasm_objdump_fuzzer.cc:36:3
    #18 0x619f056eaa60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #19 0x619f056d5cd5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #20 0x619f056db76f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #21 0x619f05706a12 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #22 0x7699ff2d5082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
    #23 0x619f056cdebd in _start (/src/wabt/wasm_objdump_fuzzer+0xecebd)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

POC

wabt_crash.txt

Credit

Reported by Yifan Zhang, PLL

[JJLeo]

Please let me know if you encounter any issues reproducing it — I can upload a Docker image to help.

[sbc100]

If you have a proposed fix then that would be most welcome. However, I don't know of anyone who works on wabt who has time to devote to fixing this type of fuzz bugs I'm afraid. If you have an issue that effects real world wasm programs that might get more attention. If you have a proposed fix then that would be most welcome.

[JJLeo]

Thanks for your response. I get the situation, and I'll work on fixing the issue on my side. I'll share a fix once I have it ready.