Git Product home page Git Product logo

Comments (4)

kripken avatar kripken commented on June 9, 2024 1

SAFE_HEAP will integer overflow when checking pointers at the very end of the heap

The JS version of this looks ok, as it's on JS Numbers, so it's in 53 bits of precision:

emscripten/src/runtime_safe_heap.js

Line 46 in cb0d16c

if (dest + bytes > brk) abort(`segmentation fault, exceeded the top of the available dynamic heap when storing ${bytes} bytes to address ${dest}. DYNAMICTOP=${brk}`);

The wasm version emits stuff like this:

 (func $SAFE_HEAP_LOAD_i32_1_1 (param $0 i32) (param $1 i32) (result i32)
  (local $2 i32)
  (local.set $2
   (i32.add
    (local.get $0)
    (local.get $1)
   )
  )
  (if
   (i32.or
    (i32.eq
     (local.get $2)
     (i32.const 0)
    )
    (i32.gt_u
     (i32.add
      (local.get $2)
      (i32.const 1)
     )
     (i32.load
      (call $emscripten_get_sbrk_ptr)
     )
    )
   )
   (then
    (call $segfault)
   )
  )
  (i32.load8_s
   (local.get $2)
  )
 )

So that first add can indeed overflow, good catch. We need an extra check before that add, in Binaryen's SafeHeap pass.

from emscripten.

sbc100 avatar sbc100 commented on June 9, 2024

IIUC SAFE_HEAP always check based on your MAXIMUM_MEMORY setting? Are you running into this issue in your code? If so can you share what setting you using for INITIAL_MEMORY and MAXIMUM_MEMORY.

Presumably another solution to this would be use treat all address as unsigned (e.g. by doing >>> 0 prior to the check).

from emscripten.

sbc100 avatar sbc100 commented on June 9, 2024

It looks like we already treat address as unsigned in CAN_ADDRESS_2GB mode:

emscripten/src/runtime_safe_heap.js

Lines 28 to 30 in 0c47091

#if CAN_ADDRESS_2GB
dest >>>= 0;
#endif

Perhaps we should just make this unconditional?

I guess that means you are not in CAN_ADDRESS_2GB mode (i.e. you didn't specify a MAX or over 2gb)?

from emscripten.

sbc100 avatar sbc100 commented on June 9, 2024

Can you try this fix: #21560

from emscripten.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.