Several days ago, I found a small bug in cleos. And I submitted an report on hackerone to see whether I could have luck. And today they responsed saying that they already found that bug. So I think it’s ok if I write a post of that and anyway, it’s not a big bug.

The problem is here.

eos/libraries/wasm-jit/Source/WAST/Lexer.cpp line 283

++
1
while(!isRecoveryPointChar(*nextChar)) { ++nextChar; }

So if nextChar never meets the recoveryPoint and returns false, the pointer will continue adding itself and reaches a memory address that can’t be read. So I flipped one bit at the end of the .wast file and it crashed.

Crash:
(I changed how cleos reads in the wast for fuzzing but it’s the same for normal cleos command )

1
2
3
4
5
sam@hero:~/Documents/eos/build/contracts/afl_out/crashes$ ../../../programs/cleos/cleos_1 set contract samhero ../../tic_tac_toe/ id:000000\,sig:11\,src:000000\,op:flip1\,pos:146417 
argv[5]: id:000000,sig:11,src:000000,op:flip1,pos:146417
Reading WAST/WASM from id:000000,sig:11,src:000000,op:flip1,pos:146417...
Assembling WASM...
Segmentation fault

Hope I can find a big bug one day.