Enviar #719831: wasm3 v0.5.0 and master-branch Memory Corruptioninformación

Título	wasm3 v0.5.0 and master-branch Memory Corruption
Descripción	### Description We discovered a security vulnerability (Segmentation Fault) in Wasm3. The application crashes with a SEGV on READ access within the op_CallIndirect function. This crash is reproducible in RELEASE builds. This confirms that the issue is a memory safety defect (likely an Out-of-Bounds Read) affecting production configurations. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release - Tools: AddressSanitizer - Affected Version: `master branch` ### Vulnerability Details - Target: Wasm3 - Crash Type: Segmentation Fault (SEGV) on READ memory access - Location: op_CallIndirect (in m3_exec.h or generated core) - Crash Address: 0x53100003b188 Root Cause Analysis: The stack trace identifies op_CallIndirect as the crashing point. This opcode performs an indirect function call using an index into a table. The ASAN report indicates a READ violation. This suggests that the interpreter attempted to read function data from a table or stack location using an invalid index or pointer, without sufficient bounds checking. ### Reproduce ``` ./wasm3 repro ``` Download Link: [repro](https://github.com/oneafter/cve-proofs/blob/main/POC-20251203-04/repro) ASAN report ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==4994==ERROR: AddressSanitizer: SEGV on unknown address 0x53100003b188 (pc 0x561992868352 bp 0x52d000000440 sp 0x7ffe4d888c20 T0) ==4994==The signal is caused by a READ memory access. #0 0x561992868352 in op_CallIndirect (/src/repro/wasm3/build/wasm3+0x54352) #1 0x56199286fe29 in m3_CallArgv (/src/repro/wasm3/build/wasm3+0x5be29) #2 0x561992833aae in repl_call (/src/repro/wasm3/build/wasm3+0x1faae) #3 0x561992831034 in main (/src/repro/wasm3/build/wasm3+0x1d034) #4 0x7f18178e91c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) #5 0x7f18178e928a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) #6 0x561992832fe4 in _start (/src/repro/wasm3/build/wasm3+0x1efe4) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/src/repro/wasm3/build/wasm3+0x54352) in op_CallIndirect ==4994==ABORTING ```
Fuente	⚠️ https://github.com/wasm3/wasm3/issues/547
Usuario	Oneafter (UID 92781)
Sumisión	2025-12-19 10:53 (hace 4 meses)
Moderación	2026-01-01 10:23 (13 days later)
Estado	Duplicado
Entrada de VulDB	339334 [wasm3 hasta 0.5.0 m3_exec.h op_SetSlot_i32/op_CallIndirect desbordamiento de búfer]
Puntos	0

◂ Anterior Visión De Conjunto Próximo ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!