Headline
CVE-2021-32629: Merge pull request from GHSA-hpqh-2wqx-7qp5 · bytecodealliance/wasmtime@95559c0
Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a Wasm program. This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73. The recently-released version 0.73 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, under a specific set of circumstances. If those circumstances occur, the bug could allow access to memory addresses upto 2GiB before the start of the Wasm program heap. If the heap bound is larger than 2GiB, then it would be possible to read memory from a computable range dependent on the size of the heaps bound. The impact of this bug is highly dependent on heap implementation, specifically: * if the heap has bounds checks, and * does not rely exclusively on guard pages, and * the heap bound is 2GiB or smaller * then this bug cannot be used to reach memory from another Wasm program heap. The impact of the vulnerability is mitigated if there is no memory mapped in the range accessible using this bug, for example, if there is a 2 GiB guard region before the Wasm program heap. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, when the register allocator reloads a spilled integer value narrower than 64 bits. This interacts poorly with another optimization: the instruction selector elides a 32-to-64-bit zero-extend operator when we know that an instruction producing a 32-bit value actually zeros the upper 32 bits of its destination register. Hence, we rely on these zeroed bits, but the type of the value is still i32, and the spill/reload reconstitutes those bits as the sign extension of the i32’s MSB. The issue would thus occur when: * An i32 value in a Wasm program is greater than or equal to 0x8000_0000; * The value is spilled and reloaded by the register allocator due to high register pressure in the program between the value’s definition and its use; * The value is produced by an instruction that we know to be “special� in that it zeroes the upper 32 bits of its destination: add, sub, mul, and, or; * The value is then zero-extended to 64 bits in the Wasm program; * The resulting 64-bit value is used. Under these circumstances there is a potential sandbox escape when the i32 value is a pointer. The usual code emitted for heap accesses zero-extends the Wasm heap address, adds it to a 64-bit heap base, and accesses the resulting address. If the zero-extend becomes a sign-extend, the program could reach backward and access memory up to 2GiB before the start of its heap. In addition to assessing the nature of the code generation bug in Cranelift, we have also determined that under specific circumstances, both Lucet and Wasmtime using this version of Cranelift may be exploitable. See referenced GitHub Advisory for more details.
@@ -4,19 +4,88 @@
Unreleased
0.27.0
Released 2021-05-21.
Security Fixes
* Fixed a security issue in Cranelift’s x64 backend that could result in a heap sandbox escape due to an incorrect sign-extension: [#2913](https://github.com/bytecodealliance/wasmtime/issues/2913).
Added
* Support for IBM z/Archiecture (`s390x`) machines in Cranelift and Wasmtime: [#2836](https://github.com/bytecodealliance/wasmtime/pull/2836), [#2837](https://github.com/bytecodealliance/wasmtime/pull/2837), [#2838](https://github.com/bytecodealliance/wasmtime/pull/2838), [#2843](https://github.com/bytecodealliance/wasmtime/pull/2843), [#2854](https://github.com/bytecodealliance/wasmtime/pull/2854), [#2870](https://github.com/bytecodealliance/wasmtime/pull/2870), [#2871](https://github.com/bytecodealliance/wasmtime/pull/2871), [#2872](https://github.com/bytecodealliance/wasmtime/pull/2872), [#2874](https://github.com/bytecodealliance/wasmtime/pull/2874).
* Improved async support in wasi-common runtime: [#2832](https://github.com/bytecodealliance/wasmtime/pull/2832).
* Added `Store::with_limits`, `StoreLimits`, and `ResourceLimiter` to the Wasmtime API to help with enforcing resource limits at runtime. The `ResourceLimiter` trait can be implemented by custom resource limiters to decide if linear memories or tables can be grown.
* Added `allow-unknown-exports` option for the run command: [#2879](https://github.com/bytecodealliance/wasmtime/pull/2879).
* Added API to notify that a `Store` has moved to a new thread: [#2822](https://github.com/bytecodealliance/wasmtime/pull/2822).
* Documented guidance around using Wasmtime in multithreaded contexts: [#2812](https://github.com/bytecodealliance/wasmtime/pull/2812). In the future, the Wasmtime API will change to allow some of its core types to be Send/Sync; see the in-progress [#2897](https://github.com/bytecodealliance/wasmtime/pull/2897) for details.
* Support calls from native code to multiple-return-value functions: [#2806](https://github.com/bytecodealliance/wasmtime/pull/2806).
Changed
* Breaking: `Memory::new` has been changed to return `Result` as creating a host memory object is now a fallible operation when the initial size of the memory exceeds the store limits.
Fixed
* Many instruction selection improvements on x64 and aarch64: [#2819](https://github.com/bytecodealliance/wasmtime/pull/2819), [#2828](https://github.com/bytecodealliance/wasmtime/pull/2828), [#2823](https://github.com/bytecodealliance/wasmtime/pull/2823), [#2862](https://github.com/bytecodealliance/wasmtime/pull/2862), [#2886](https://github.com/bytecodealliance/wasmtime/pull/2886), [#2889](https://github.com/bytecodealliance/wasmtime/pull/2889), [#2905](https://github.com/bytecodealliance/wasmtime/pull/2905).
* Improved performance of Wasmtime runtime substantially: [#2811](https://github.com/bytecodealliance/wasmtime/pull/2811), [#2818](https://github.com/bytecodealliance/wasmtime/pull/2818), [#2821](https://github.com/bytecodealliance/wasmtime/pull/2821), [#2847](https://github.com/bytecodealliance/wasmtime/pull/2847), [#2900](https://github.com/bytecodealliance/wasmtime/pull/2900).
* Fixed WASI issue with file metadata on Windows: [#2884](https://github.com/bytecodealliance/wasmtime/pull/2884).
* Fixed an issue with debug info and an underflowing (trapping) offset: [#2866](https://github.com/bytecodealliance/wasmtime/pull/2866).
* Fixed an issue with unwind information in the old x86 backend: [#2845](https://github.com/bytecodealliance/wasmtime/pull/2845).
* Fixed i32 spilling in x64 backend: [#2840](https://github.com/bytecodealliance/wasmtime/pull/2840).
0.26.0
Released 2021-04-05.
Related news
Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a Wasm program. This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73. The recently-released version 0.73 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, under a specific set of circumstances. If those circumstances occur, the bug could allow access to memory addresses upto 2GiB before the start of the Wasm program heap. If the heap bound is larger than 2GiB, then it would be possible to read memory from a computable range dep...