[Bug] Assertion failed type.IsReferenceWithIndex() in wabt::convertRefNullToRef

[oneafter]

Description

We encountered a SIGABRT (Assertion Failure) in wasm-interp. The crash occurs within the type checker logic when processing a malformed WebAssembly binary using the --enable-all flag.

The assertion fails in wabt::convertRefNullToRef, which is called during the validation of the ref.as_non_null instruction. This indicates that the validator encountered a reference type that it expected to have a type index, but the actual type did not satisfy IsReferenceWithIndex().

Environment

• OS: Linux x86_64
• Complier: Clang
• Tools: gdb

Vulnerability Details

• Target: wasm-interp
• Crash Type: Assertion Failure (SIGABRT)
• Location: src/type-checker.cc:588
• Assertion: Assertion type.IsReferenceWithIndex() failed
• Root Cause Analysis: The stack trace shows the path: ReadCodeSection -> ReadFunctionBody -> ReadInstructions -> OnRefAsNonNullExpr -> SharedValidator::OnRefAsNonNull -> TypeChecker::OnRefAsNonNullExpr -> convertRefNullToRef. The function convertRefNullToRef assumes the incoming type is a reference with an index. However, the input binary seemingly provides a type that violates this assumption, triggering the assertion in Debug builds

Reproduce

gdb --args ./wasm-interp --enable-all ./repro
r
bt

Download Link: repro

Stack Trace (GDB)

wasm-interp: /src/wabt/src/type-checker.cc:588: Type wabt::convertRefNullToRef(Type): Assertion `type.IsReferenceWithIndex()' failed.

Program received signal SIGABRT, Aborted.
0x00007f9afefecb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007f9afefecb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f9afef9327e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f9afef768ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007f9afef7681b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007f9afef89517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x00005573df7f3174 in wabt::convertRefNullToRef (type=...)
    at /src/wabt/src/type-checker.cc:588
#6  wabt::TypeChecker::OnRefAsNonNullExpr (this=<optimized out>)
    at /src/wabt/src/type-checker.cc:941
#7  0x00005573df7c2db1 in wabt::SharedValidator::OnRefAsNonNull (
    this=<optimized out>, loc=...) at /src/wabt/src/shared-validator.cc:1135
#8  0x00005573df63c77d in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnRefAsNonNullExpr (this=0x7f9afd600860)
    at /src/wabt/src/interp/binary-reader-interp.cc:1473
#9  0x00005573df768e24 in wabt::(anonymous namespace)::BinaryReader::ReadInstructions (this=<optimized out>, end_offset=<optimized out>, 
    context=<optimized out>) at /src/wabt/src/binary-reader.cc:1945
#10 0x00005573df777631 in wabt::(anonymous namespace)::BinaryReader::ReadFunctionBody (this=0x59dc, end_offset=23004) at /src/wabt/src/binary-reader.cc:735
#11 0x00005573df756449 in wabt::(anonymous namespace)::BinaryReader::ReadCodeSection (this=0x7f9afd400220, section_size=<optimized out>)
    at /src/wabt/src/binary-reader.cc:3003
#12 0x00005573df7458ea in wabt::(anonymous namespace)::BinaryReader::ReadSection--Type <RET> for more, q to quit, c to continue without paging--
s (this=0x7f9afd400220, options=...) at /src/wabt/src/binary-reader.cc:3156
#13 0x00005573df744081 in wabt::(anonymous namespace)::BinaryReader::ReadModule
    (this=0x7f9afd400220, options=...) at /src/wabt/src/binary-reader.cc:3230
#14 wabt::ReadBinary (data=0x5120000001c0, size=279, delegate=<optimized out>, 
    options=...) at /src/wabt/src/binary-reader.cc:3252
#15 0x00005573df61d79c in wabt::interp::ReadBinaryInterp (filename=..., 
    data=<optimized out>, size=<optimized out>, options=..., 
    errors=0x7f9afd700610, out_module=<optimized out>)
    at /src/wabt/src/interp/binary-reader-interp.cc:1821
#16 0x00005573df5d69d4 in ReadModule (
    module_filename=0x7fff4b4085a1 "/src/wabt/fuzz_out/master/crashes/id:000001,sig:06,src:003772,time:27357795,execs:1488824,op:havoc,rep:1", 
    errors=0x7f9afd700610, out_module=<optimized out>)
    at /src/wabt/src/tools/wasm-interp.cc:324
#17 ReadAndRunModule (
    module_filename=0x7fff4b4085a1 "/src/wabt/fuzz_out/master/crashes/id:000001,sig:06,src:003772,time:27357795,execs:1488824,op:havoc,rep:1")
    at /src/wabt/src/tools/wasm-interp.cc:351
#18 ProgramMain (argc=<optimized out>, argv=<optimized out>)
    at /src/wabt/src/tools/wasm-interp.cc:450
#19 0x00007f9afef781ca in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#20 0x00007f9afef7828b in __libc_start_main ()
   from /lib/x86_64-linux-gnu/libc.so.6
#21 0x00005573df4ee935 in _start ()

[sbc100]

wasm-decompile doesn't currently have a maintainer, or anyone who works on it. If you would like to send PR please do.