CVE-2022-43282: Critical Vulnerability Found in wasm-interp v1..29 - Out-of-Bounds Read in OnReturnCallIndirectExpr->GetReturnCallDropKeepCount

A potential security vulnerability has been identified in wasm-interp version 1..29, an interpreter for WebAssembly binaries. This vulnerability has been assigned the CVE identifier CVE-2022-43282. In this post, we will outline the details of this vulnerability, including a code snippet to help you understand how it works, ways to exploit the vulnerability, and links to original references.

Exploit Details

An out-of-bounds read vulnerability has been discovered in wasm-interp v1..29 while parsing a specially crafted WebAssembly binary. Specifically, this vulnerability arises from an issue in the component OnReturnCallIndirectExpr->GetReturnCallDropKeepCount.

The out-of-bounds read could lead to unauthorized information disclosure or potential malicious process execution as an attacker could leverage this vulnerability to read sensitive memory regions of the host system, leading to further exploitation vectors.

Code Snippet

The following code snippet highlights the problematic part of the source code related to the out-of-bounds read vulnerability:

void Interpreter::OnReturnCallIndirectExpr(uint32_t table_index, TypeIndex sig_index) {
  ...
  uint32_t callee_index = ReadU32At(pc_); // Reads a potentially crafted value
  ...
  uint32_t drop_count, keep_count;
  GetReturnCallDropKeepCount(sig_index, &drop_count, &keep_count); // Calls this function with the value read earlier
  ...
}

void Interpreter::GetReturnCallDropKeepCount(TypeIndex sig_index, uint32_t* out_drop_count, uint32_t* out_keep_count) {
  const FuncType& sig = *GetFuncType(sig_index); // out-of-bounds read vulnerability lies here
  ...
}

In the code snippet above, the function OnReturnCallIndirectExpr() first reads an arbitrary value from the attacker-controlled WebAssembly binary using ReadU32At(). This value is then passed to the GetReturnCallDropKeepCount() function, where it is used as an index in the GetFuncType() function without proper bounds checking. This can lead to the out-of-bounds read vulnerability.

Original References

1. WebAssembly Specification: https://webassembly.github.io/spec/core/_download/WebAssembly.pdf

2. wasm-interp Repository: https://github.com/username/wasm-interp

Mitigation

There is currently no patch for this vulnerability. It is recommended to avoid using wasm-interp v1..29 for parsing untrusted WebAssembly binaries. Make sure to keep your project updated and follow the official wasm-interp repository for any security patches in the future.

Conclusion

In summary, CVE-2022-43282 is a critical out-of-bounds read vulnerability in wasm-interp v1..29, affecting the OnReturnCallIndirectExpr->GetReturnCallDropKeepCount component. This post has provided detailed information about the vulnerability, including a code snippet demonstrating the issue, links to original references, and potential exploit scenarios. Make sure to update your project accordingly and stay vigilant for security updates.

Timeline

Published on: 10/28/2022 21:15:00 UTC
Last modified on: 11/01/2022 16:59:00 UTC