提出 #752765: wasm3 main branch Resource Consumption情報

タイトル	wasm3 main branch Resource Consumption
説明	### Description We discovered a significant Resource Exhaustion / Denial of Service (DoS) vulnerability in Wasm3. When the interpreter encounters a specific runtime error (specifically Error: incorrect value count on stack), it aborts execution but fails to release a massive chunk of allocated memory (~263 MB). This issue is reproducible in RELEASE builds. This confirms that the leak affects production configurations. In embedded environments or long-running services using Wasm3, this behavior can easily lead to Out-of-Memory (OOM) crashes and service unavailability. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release - Tools: AddressSanitizer - Affected Version: `master branch` ### Vulnerability Details - Target: Wasm3 - Crash Type: Resource Exhaustion / Massive Memory Leak - Location: NewCodePage (allocated via __interceptor_calloc) - Leak Size: 275,841,024 bytes (~263 MB) in a single object. - Root Cause Analysis: The log shows the error Error - incorrect value count on stack immediately preceding the leak report. It appears that NewCodePage successfully allocated a very large memory block (likely for JIT/compilation). However, when the subsequent validation of the stack failed, the error handling path triggered an exit/abort without freeing this newly allocated code page. This "error path leak" allows an attacker to exhaust system memory rapidly. ### Reproduce ``` ./wasm3 repro ``` Download Link: [repro](https://github.com/oneafter/cve-proofs/blob/main/POC-20251203-07/repro) ASAN report ``` ================================================================= ==5649==ERROR: LeakSanitizer: detected memory leaks Direct leak of 275841024 byte(s) in 1 object(s) allocated from: #0 0x7fc87af97097 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x55af7fd8bef2 in NewCodePage (/src/repro/wasm3/build/wasm3+0x65ef2) SUMMARY: AddressSanitizer: 275841024 byte(s) leaked in 1 allocation(s). ``` ### Impact Successful exploitation results in a Denial of Service (DoS) due to massive resource exhaustion. By providing a crafted WebAssembly module, a remote attacker can trigger a ~263 MB memory leak in the error handling path. This leads to immediate Out-of-Memory (OOM) crashes, rendering the host application or device unavailable. The impact is critical in embedded systems and IoT devices (Wasm3's primary target), where such memory consumption typically exceeds physical hardware limits.
ソース	⚠️ https://github.com/wasm3/wasm3/issues/550
ユーザー	Oneafter (UID 92781)
送信	2026年02月05日 10:38 (2 月 ago)
モデレーション	2026年02月08日 09:59 (3 days later)
ステータス	承諾済み
VulDBエントリ	344934 [wasm3 迄 0.5.0 NewCodePage サービス拒否]
ポイント	20

◂ 前概要次 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!