fix(tailcall): Fixes heap buffer overflow in fast interpreter (#4916)#4917
fix(tailcall): Fixes heap buffer overflow in fast interpreter (#4916)#4917srberard wants to merge 1 commit intobytecodealliance:mainfrom
Conversation
…dealliance#4916) Signed-off-by: Stephen Berard <stephen.berard@outlook.com>
There was a problem hiding this comment.
Pull request overview
Fixes the heap buffer overflow described in #4916 by adding a missing operand-stack bounds check to the fast-interp return_call (tail call) path, and adds a regression test case + CI build target to exercise tail calls in fast-interp.
Changes:
- Add operand stack overflow check in
call_func_from_return_callbefore copying staged tail-call parameters. - Add a regression test module (
tail_call_stack_overflow.wat/.wasm) reproducing the const-pool-size mismatch scenario. - Extend BA regression harness configuration and build script with a tail-call-enabled fast-interp runtime.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
core/iwasm/interpreter/wasm_interp_fast.c |
Adds missing bounds check in fast-interp tail-call parameter staging to prevent out-of-bounds writes. |
tests/regression/ba-issues/running_config.json |
Registers new regression case for issue #4916 using a tail-call-enabled runtime. |
tests/regression/ba-issues/issues/issue-4916/tail_call_stack_overflow.wat |
Adds readable source test that inflates callee const pool and tail-calls from a tiny caller. |
tests/regression/ba-issues/issues/issue-4916/tail_call_stack_overflow.wasm |
Adds compiled wasm artifact used by the regression harness. |
tests/regression/ba-issues/build_wamr.sh |
Builds an additional iwasm variant with fast-interp + tail-call enabled (WASI disabled). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| frame->lp = frame->operand + cur_func->const_cell_num; | ||
| if ((uint8 *)(frame->lp + cur_func->param_cell_num) | ||
| > exec_env->wasm_stack.top_boundary) { |
There was a problem hiding this comment.
In the tail-call path (call_func_from_return_call), frame->lp is computed using cur_func->const_cell_num unconditionally. For multi-module imports, cur_func->const_cell_num is zeroed during instantiation and the correct const offset comes from cur_func->import_func_inst->const_cell_num (as already handled in the non-tail call path at call_func_from_interp). This can misplace staged parameters for return_call to an imported wasm function instance (params can be overwritten by the callee const init / read from the wrong offset). Consider mirroring the WASM_ENABLE_MULTI_MODULE import handling here when setting frame->lp and when performing the overflow check.
Fixes #4916 and adds case to regression tests.