WebKit - WebAssembly Parsing Does not Correctly Check Section Order Vulnerability

When a WebAssembly binary is parsed in ModuleParser::parse, it is expected to contain certain sections in a certain order, but can also contain custom sections that can appear anywhere in the binary. The ordering check validateOrder() does not adequately check that sections are in the correct order when a binary contains custom sections.
 
static inline bool validateOrder(Section previous, Section next)
{
    if (previous == Section::Custom)
        return true;
    return static_cast<uint8_t>(previous) < static_cast<uint8_t>(next);
}
 
If the previous section was a custom section, the check always returns true, even if the section is otherwise out of order. This means any number of sections can be parsed from a binary, any number of times in any order. This leads to a number of possible overflows and type confusion bugs, as parsing assumes most sections are unique and in the right order.
 
The attached html file causes a crash in Safari, the wasm file is attached as well. This particular use of the bug causes an overflow in the function vector.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44427.zip

#  0day.today [2018-04-12]  #