Several days ago, I found a small bug in cleos. And I submitted an report on hackerone to see whether I could have luck. And today they responsed saying that they already found that bug. So I think it’s ok if I write a post of that and anyway, it’s not a big bug.

The problem is here.

eos/libraries/wasm-jit/Source/WAST/Lexer.cpp line 283

while(!isRecoveryPointChar(*nextChar)) { ++nextChar; }

So if nextChar never meets the recoveryPoint and returns false, the pointer will continue adding itself and reaches a memory address that can’t be read. So I flipped one bit at the end of the .wast file and it crashed.

(I changed how cleos reads in the wast for fuzzing but it’s the same for normal cleos command )

sam@hero:~/Documents/eos/build/contracts/afl_out/crashes$ ../../../programs/cleos/cleos_1 set contract samhero ../../tic_tac_toe/ id:000000\,sig:11\,src:000000\,op:flip1\,pos:146417 
argv[5]: id:000000,sig:11,src:000000,op:flip1,pos:146417
Reading WAST/WASM from id:000000,sig:11,src:000000,op:flip1,pos:146417...
Assembling WASM...
Segmentation fault

Hope I can find a big bug one day.