Skip to content

add validation of dynamic_offset #4563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

add validation of dynamic_offset #4563

wants to merge 6 commits into from

Conversation

Septa2112
Copy link
Contributor

In Fast-Interpreter mode, wasm_loader_pop_frame_offset does not validate dynamic_offset before performing calculations. This can lead to an potential unsigned integer underflow in certain cases, for example when cell_num_to_pop exceeds dynamic_offset:

wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c

Line 9869 in cbb6d03

ctx->dynamic_offset -= cell_num_to_pop;

This patch adds a validation step for dynamic_offset to prevent such cases and improve code robustness.

@lum1n0us lum1n0us added the bug-fix Determine if this PR addresses a bug. It will be used by scripts to classify PRs. label Aug 15, 2025
@kylo5aby
Copy link
Contributor

kylo5aby commented Sep 3, 2025

should also update mini loader part

@lum1n0us
Copy link
Collaborator

This issue concerns an unsigned integer underflow, such as (3-4), which is captured by the sanitizer. If there is no sanitizer, a subsequent checker will detect it and report an exception. Therefore, the malformed Wasm won't cause any problems during the instantiation and execution phases.

And according to Clang's Undefined Behavior Sanitizer documentation, including unsigned integer underflow in sanitizer options is more like asking the developer if this is intentional.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lum1n0us lum1n0us lum1n0us approved these changes

@loganek loganek Awaiting requested review from loganek loganek is a code owner

@no1wudi no1wudi Awaiting requested review from no1wudi no1wudi is a code owner

@TianlongLiang TianlongLiang Awaiting requested review from TianlongLiang TianlongLiang is a code owner

@wenyongh wenyongh Awaiting requested review from wenyongh wenyongh is a code owner

@xujuntwt95329 xujuntwt95329 Awaiting requested review from xujuntwt95329 xujuntwt95329 is a code owner

@yamt yamt Awaiting requested review from yamt yamt is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
bug-fix Determine if this PR addresses a bug. It will be used by scripts to classify PRs.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Septa2112 @kylo5aby @lum1n0us