WebKit - WebAssembly Parsing Does not Correctly Check Section Order

EDB-ID: 44427
Author: Google Security Research
Published: 2018-04-09
CVE: CVE-2018-4121
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

static inline bool validateOrder(Section previous, Section next)
if (previous == Section::Custom)
return true;
return static_cast<uint8_t>(previous) < static_cast<uint8_t>(next);

If the previous section was a custom section, the check always returns true, even if the section is otherwise out of order. This means any number of sections can be parsed from a binary, any number of times in any order. This leads to a number of possible overflows and type confusion bugs, as parsing assumes most sections are unique and in the right order.

The attached html file causes a crash in Safari, the wasm file is attached as well. This particular use of the bug causes an overflow in the function vector.

Proof of Concept:

Related Posts