| 标题 | wren-lang wren main-branch Heap-based Buffer Overflow |
|---|
| 描述 | ### Description
We discovered a Heap-buffer-overflow (specifically an underflow) vulnerability in Wren. The crash occurs in resolveLocal (triggering bcmp) when the compiler attempts to parse a deeply nested structure (likely nested loops or blocks).
The ASAN report shows an extremely deep call stack (~300+ frames) of recursive parsing functions (statement -> definition -> finishBlock). This deep recursion likely leads to memory corruption or an invalid pointer calculation when resolving local variables, causing a read access 766 bytes before the allocated source buffer.
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Vulnerability Details
- Target: Wren (wren-lang)
- Vulnerability Type: CWE-674: Uncontrolled Recursion / CWE-125: Out-of-bounds Read
- Function: resolveLocal (calling bcmp)
- Location: src/vm/wren_compiler.c:1539
- Root Cause Analysis: The parser allows excessive nesting of code blocks or control structures.
```
// Recurring pattern in stack trace:
#-15 loopBody
#-16 forStatement
#-17 statement
#-18 definition
#-19 finishBlock
...
```
This recursive descent parser consumes stack space and likely pushes compiler state (locals, scopes) onto an internal stack. When the nesting is too deep, resolveLocal attempts to look up a variable name. Due to the depth, an index calculation for the local variable lookup might become negative or invalid, or the internal compiler state might be corrupted, causing bcmp to read memory preceding the valid heap allocation.
### Reproduce
1. Build wren and harness with Release optimization and ASAN enabled.
<details>
<summary>harness.c</summary>
```
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "wren.h"
void writeFn(WrenVM* vm, const char* text) {
}
void errorFn(WrenVM* vm, WrenErrorType type, const char* module, int line, const char* message) {
}
int main(int argc, char** argv) {
if (argc < 2) return 1;
FILE* f = fopen(argv[1], "rb");
if (!f) return 1;
fseek(f, 0, SEEK_END);
long length = ftell(f);
fseek(f, 0, SEEK_SET);
char* buffer = (char*)malloc(length + 1);
if (!buffer) {
fclose(f);
return 1;
}
if (fread(buffer, 1, length, f) != (size_t)length) {
free(buffer);
fclose(f);
return 1;
}
buffer[length] = '\0';
fclose(f);
WrenConfiguration config;
wrenInitConfiguration(&config);
config.writeFn = writeFn;
config.errorFn = errorFn;
WrenVM* vm = wrenNewVM(&config);
WrenInterpretResult result = wrenInterpret(vm, "main", buffer);
wrenFreeVM(vm);
free(buffer);
return 0;
}
```
</details>
2. Run with the crashing [file](https://github.com/oneafter/0122/blob/main/i1218/repro):
```
./bin/harness repro
```
<details>
<summary>ASAN report</summary>
```
==96037==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x530000000102 at pc 0x564f0da94848 bp 0x7fffe1d97780 sp 0x7fffe1d96f28
READ of size 1 at 0x530000000102 thread T0
#0 0x564f0da94847 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/src/wren/bin/fuzz_wren+0x53847) (BuildId: 5d78be029a4b6a34067ee0d0f65b83b8780504cc)
#1 0x564f0da94bc0 in bcmp (/src/wren/bin/fuzz_wren+0x53bc0) (BuildId: 5d78be029a4b6a34067ee0d0f65b83b8780504cc)
#2 0x564f0db75ce2 in resolveLocal /src/wren/projects/make/../../src/vm/wren_compiler.c:1539:9
#3 0x564f0db75ce2 in resolveNonmodule /src/wren/projects/make/../../src/vm/wren_compiler.c:1624:20
#4 0x564f0db75ce2 in name /src/wren/projects/make/../../src/vm/wren_compiler.c:2375:23
#5 0x564f0db85edd in parsePrecedence /src/wren/projects/make/../../src/vm/wren_compiler.c:2849:3
#6 0x564f0db85edd in expression /src/wren/projects/make/../../src/vm/wren_compiler.c:2863:3
#7 0x564f0db85edd in namedCall /src/wren/projects/make/../../src/vm/wren_compiler.c:2099:5
#8 0x564f0db87d44 in parsePrecedence /src/wren/projects/make/../../src/vm/wren_compiler.c:2849:3
#9 0x564f0db87d44 in expression /src/wren/projects/make/../../src/vm/wren_compiler.c:2863:3
#10 0x564f0db87d44 in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1779:5
#11 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#12 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#13 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#14 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#15 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#16 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#17 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#18 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#19 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#20 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#21 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#22 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#23 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#24 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#25 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#26 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#27 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#28 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#29 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#30 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#31 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#32 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#33 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#34 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#35 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#36 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#37 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#38 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#39 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#40 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#41 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#42 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#43 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#44 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#45 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#46 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#47 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#48 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#49 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#50 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#51 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#52 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#53 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#54 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#55 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#56 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#57 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#58 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#59 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#60 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#61 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#62 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#63 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#64 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#65 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#66 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#67 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#68 0x564 |
|---|
| 来源 | ⚠️ https://github.com/wren-lang/wren/issues/1218 |
|---|
| 用户 | Oneafter (UID 92781) |
|---|
| 提交 | 2026-02-18 14時43分 (2 月前) |
|---|
| 管理 | 2026-02-28 15時50分 (10 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 348271 [wren-lang wren 直到 0.4.0 src/vm/wren_compiler.c resolveLocal 拒绝服务] |
|---|
| 积分 | 20 |
|---|