Headline
GHSA-h84q-m8rr-3v9q: wasmtime_trap_code C API function has out of bounds write vulnerability
Impact
There is a bug in Wasmtime’s C API implementation where the definition of the wasmtime_trap_code does not match its declared signature in the wasmtime/trap.h header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller.
Patches
This bug has been patched and users should upgrade to Wasmtime 2.0.2.
Workarounds
This can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling wasmtime_trap_code. Users of the wasmtime crate are not affected by this issue, only users of the C API function wasmtime_trap_code are affected.
References
For more information
If you have any questions or comments about this advisory:
- Reach out to us on the Bytecode Alliance Zulip chat
- Open an issue in the bytecodealliance/wasmtime repository
Package
cargo wasmtime (Rust)
Affected versions
>= 2.0.0, < 2.0.2
< 1.0.2
Patched versions
2.0.2
1.0.2
Description
Impact
There is a bug in Wasmtime’s C API implementation where the definition of the wasmtime_trap_code does not match its declared signature in the wasmtime/trap.h header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller.
Patches
This bug has been patched and users should upgrade to Wasmtime 2.0.2.
Workarounds
This can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling wasmtime_trap_code. Users of the wasmtime crate are not affected by this issue, only users of the C API function wasmtime_trap_code are affected.
References
- Definition of wasmtime_trap_code
- Mailing list announcement
- Patch to fix for main branch
For more information
If you have any questions or comments about this advisory:
- Reach out to us on the Bytecode Alliance Zulip chat
- Open an issue in the bytecodealliance/wasmtime repository
References
- GHSA-h84q-m8rr-3v9q
- https://nvd.nist.gov/vuln/detail/CVE-2022-39394
- bytecodealliance/wasmtime@087d9d7
- bytecodealliance/wasmtime@5b6d5e7
- https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/c1HBDDJwNPA
alexcrichton published to bytecodealliance/wasmtime
Nov 10, 2022
Published by the National Vulnerability Database
Nov 10, 2022
Published to the GitHub Advisory Database
Feb 1, 2024
Reviewed
Feb 1, 2024
Last updated
Feb 1, 2024
Related news
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling `wasmtime_trap_code`. Users of the `wasmtime` crate are not affected by this issue, only users of the C API function `wasmtime_trap_code` are affected.