libc-wasi: add missing pointer validations to socket functions (#4611) (#4665)

* libc-wasi: add missing pointer validations to socket functions (#4611) cf. https://github.com/bytecodealliance/wasm-micro-runtime/issues/4463 the fix for sock_addr_resolve is incomplete. cf. https://github.com/bytecodealliance/wasm-micro-runtime/issues/4610 * Sync from main branch - wasi_sock_recv doesn't use src_addr - check src_addr before coverting * CI: use windows-2022 image for now (#4633) github is currently rolling out windows-2025 image. for some reasons, the "path_symlink_trailing_slashes" test case in wasi testsuite fails on windows-2025 image. someone familar with windows need to investigate what was the key difference between 2022 and 2025. until that happens, this commit makes our CI use windows-2022 image. cf. https://github.com/bytecodealliance/wasm-micro-runtime/issues/4632 https://github.com/actions/runner-images/issues/12677 --------- Co-authored-by: YAMAMOTO Takashi <yamamoto@midokura.com>
2025-10-14 09:29:30 +08:00
parent 6450d87299
commit 8bd6794de6
7 changed files with 58 additions and 19 deletions
--- a/core/iwasm/libraries/libc-wasi/libc_wasi_wrapper.c
+++ b/core/iwasm/libraries/libc-wasi/libc_wasi_wrapper.c
@ -1161,6 +1161,9 @@ wasi_sock_accept(wasm_exec_env_t exec_env, wasi_fd_t fd, wasi_fdflags_t flags,
    if (!wasi_ctx)
        return __WASI_EACCES;

+    if (!validate_native_addr(fd_new, sizeof(*fd_new)))
+        return __WASI_EINVAL;
+
    curfds = wasi_ctx_get_curfds(wasi_ctx);

    return wasi_ssp_sock_accept(exec_env, curfds, fd, flags, fd_new);
@ -1219,6 +1222,19 @@ wasi_sock_addr_resolve(wasm_exec_env_t exec_env, const char *host,
    if (!wasi_ctx)
        return __WASI_EACCES;

+    if (!validate_native_addr(hints, sizeof(*hints)))
+        return __WASI_EINVAL;
+
+    uint64_t addr_info_byte_size = sizeof(*addr_info) * addr_info_size;
+    if (addr_info_byte_size / addr_info_size != sizeof(*addr_info))
+        return __WASI_EINVAL;
+
+    if (!validate_native_addr(addr_info, addr_info_byte_size))
+        return __WASI_EINVAL;
+
+    if (!validate_native_addr(max_info_size, sizeof(*max_info_size)))
+        return __WASI_EINVAL;
+
    curfds = wasi_ctx_get_curfds(wasi_ctx);
    ns_lookup_list = wasi_ctx_get_ns_lookup_list(wasi_ctx);

@ -1238,6 +1254,9 @@ wasi_sock_bind(wasm_exec_env_t exec_env, wasi_fd_t fd, wasi_addr_t *addr)
    if (!wasi_ctx)
        return __WASI_EACCES;

+    if (!validate_native_addr(addr, sizeof(*addr)))
+        return __WASI_EINVAL;
+
    curfds = wasi_ctx_get_curfds(wasi_ctx);
    addr_pool = wasi_ctx_get_addr_pool(wasi_ctx);

@ -1264,6 +1283,9 @@ wasi_sock_connect(wasm_exec_env_t exec_env, wasi_fd_t fd, wasi_addr_t *addr)
    if (!wasi_ctx)
        return __WASI_EACCES;

+    if (!validate_native_addr(addr, sizeof(*addr)))
+        return __WASI_EINVAL;
+
    curfds = wasi_ctx_get_curfds(wasi_ctx);
    addr_pool = wasi_ctx_get_addr_pool(wasi_ctx);

@ -1643,6 +1665,9 @@ wasi_sock_open(wasm_exec_env_t exec_env, wasi_fd_t poolfd,
    if (!wasi_ctx)
        return __WASI_EACCES;

+    if (!validate_native_addr(sockfd, sizeof(*sockfd)))
+        return __WASI_EINVAL;
+
    curfds = wasi_ctx_get_curfds(wasi_ctx);

    return wasi_ssp_sock_open(exec_env, curfds, poolfd, af, socktype, sockfd);
@ -2082,6 +2107,10 @@ wasi_sock_recv_from(wasm_exec_env_t exec_env, wasi_fd_t sock,
        return __WASI_EINVAL;
    }

+    /* note: src_addr is NULL when called by wasi_sock_recv */
+    if (src_addr != NULL && !validate_native_addr(src_addr, sizeof(*src_addr)))
+        return __WASI_EINVAL;
+
    if (!validate_native_addr(ro_data_len, (uint64)sizeof(uint32)))
        return __WASI_EINVAL;

@ -2118,16 +2147,19 @@ wasi_sock_recv(wasm_exec_env_t exec_env, wasi_fd_t sock, iovec_app_t *ri_data,
               wasi_roflags_t *ro_flags)
 {
    wasm_module_inst_t module_inst = get_module_inst(exec_env);
-    __wasi_addr_t src_addr;
    wasi_errno_t error;

+    if (!validate_native_addr(ro_data_len, sizeof(*ro_data_len)))
+        return __WASI_EINVAL;
+
    if (!validate_native_addr(ro_flags, (uint64)sizeof(wasi_roflags_t)))
        return __WASI_EINVAL;

+    // We call `recvfrom` with NULL source address as `recv` doesn't
+    // return the source address and this parameter is not used.
+    *ro_data_len = 0;
    error = wasi_sock_recv_from(exec_env, sock, ri_data, ri_data_len, ri_flags,
-                                &src_addr, ro_data_len);
-    *ro_flags = ri_flags;
-
+                                NULL, ro_data_len);
    return error;
 }

@ -2228,6 +2260,9 @@ wasi_sock_send_to(wasm_exec_env_t exec_env, wasi_fd_t sock,
        return __WASI_EINVAL;
    }

+    if (!validate_native_addr((void *)dest_addr, sizeof(*dest_addr)))
+        return __WASI_EINVAL;
+
    if (!validate_native_addr(so_data_len, (uint64)sizeof(uint32)))
        return __WASI_EINVAL;

--- a/core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c
+++ b/core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c
@ -2854,7 +2854,11 @@ wasmtime_ssp_sock_recv_from(wasm_exec_env_t exec_env, struct fd_table *curfds,
        return convert_errno(errno);
    }

-    bh_sockaddr_to_wasi_addr(&sockaddr, src_addr);
+    // If the source address is not NULL, we need to convert the sockaddr
+    // back to __wasi_addr_t format.
+    if (src_addr != NULL) {
+        bh_sockaddr_to_wasi_addr(&sockaddr, src_addr);
+    }

    *recv_len = (size_t)ret;
    return __WASI_ESUCCESS;