Headline
CVE-2023-30624: Merge pull request from GHSA-ch89-5g45-qwc7 · bytecodealliance/wasmtime@0977952
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime’s implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues.
The underlying problem is that Wasmtime’s runtime state for an instance involves a Rust-defined structure called Instance which has a trailing VMContext structure after it. This VMContext structure has a runtime-defined layout that is unique per-module. This representation cannot be expressed with safe code in Rust so unsafe code is required to maintain this state. The code doing this, however, has methods which take &self as an argument but modify data in the VMContext part of the allocation. This means that pointers derived from &self are mutated. This is typically not allowed, except in the presence of UnsafeCell, in Rust. When compiled to LLVM these functions have noalias readonly parameters which means it’s UB to write through the pointers.
Wasmtime’s internal representation and management of VMContext has been updated to use &mut self methods where appropriate. Additionally verification tools for unsafe code in Rust, such as cargo miri, are planned to be executed on the main branch soon to fix any Rust-level issues that may be exploited in future compiler versions.
Precomplied binaries available for Wasmtime from GitHub releases have been compiled with at most LLVM 15 so are not known to be vulnerable. As mentioned above, however, it’s still recommended to update.
Wasmtime version 6.0.2, 7.0.1, and 8.0.1 have been issued which contain the patch necessary to work correctly on LLVM 16 and have no known UB on LLVM 15 and earlier. If Wasmtime is compiled with Rust 1.69 and prior, which use LLVM 15, then there are no known issues. There is a theoretical possibility for undefined behavior to exploited, however, so it’s recommended that users upgrade to a patched version of Wasmtime. Users using beta Rust (1.70 at this time) or nightly Rust (1.71 at this time) must update to a patched version to work correctly.
Permalink
Browse files
Browse the repository at this point in the history
* Fix miscompile from functions mutating `VMContext`
This commit fixes a miscompilation in Wasmtime on LLVM 16 where methods on `Instance` which mutated the state of the internal `VMContext` were optimized to not actually mutate the state. The root cause of this issue is a change in LLVM which takes advantage of `noalias readonly` pointers which is how `&self` methods are translated. This means that `Instance` methods which take `&self` but actually mutate the `VMContext` end up being undefined behavior from LLVM’s point of view, meaning that the writes are candidate for removal.
The fix applied here is intended to be a temporary one while a more formal fix, ideally backed by `cargo miri` verification, is implemented on `main`. The fix here is to change the return value of `vmctx_plus_offset` to return `*const T` instead of `*mut T`. This caused lots of portions of the runtime code to stop compiling because mutations were indeed happening. To cover these a new `vmctx_plus_offset_mut` method was added which notably takes `&mut self` instead of `&self`. This forced all callers which may mutate to reflect the `&mut self` requirement, propagating that outwards.
This fixes the miscompilation with LLVM 16 in the immediate future and should be at least a meager line of defense against issues like this in the future. This is not a long-term fix, though, since `cargo miri` still does not like what’s being done in `Instance` and with `VMContext`. That fix is likely to be more invasive, though, so it’s being deferred to later.
* Update release notes
* Fix dates and fill out more notes
- Loading branch information
Related news
### Impact Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues. The underlying problem is that Wasmtime's runtime state for an instance involves a Rust-defined structure called `Instance` which has a trailing `VMContext` structure after it. This `VMContext` structure has a runtime-defined layout that is unique per-module. This representation cannot be expressed with safe code in Rust so `unsafe` code is required to maintai...