// For flags

CVE-2021-39218

Out-of-bounds read/write and invalid free with `externref`s and GC safepoints in Wasmtime

Severity Score

6.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmtime. To trigger this bug, Wasmtime needs to be running Wasm that uses `externref`s, the host creates non-null `externrefs`, Wasmtime performs a garbage collection (GC), and there has to be a Wasm frame on the stack that is at a GC safepoint where there are no live references at this safepoint, and there is a safepoint with live references earlier in this frame's function. Under this scenario, Wasmtime would incorrectly use the GC stack map for the safepoint from earlier in the function instead of the empty safepoint. This would result in Wasmtime treating arbitrary stack slots as `externref`s that needed to be rooted for GC. At the *next* GC, it would be determined that nothing was referencing these bogus `externref`s (because nothing could ever reference them, because they are not really `externref`s) and then Wasmtime would deallocate them and run `<ExternRef as Drop>::drop` on them. This results in a free of memory that is not necessarily on the heap (and shouldn't be freed at this moment even if it was), as well as potential out-of-bounds reads and writes. Even though support for `externref`s (via the reference types proposal) is enabled by default, unless you are creating non-null `externref`s in your host code or explicitly triggering GCs, you cannot be affected by this bug. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. This bug has been patched and users should upgrade to Wasmtime version 0.30.0. If you cannot upgrade Wasmtime at this time, you can avoid this bug by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types`.

Wasmtime es un runtime de código abierto para WebAssembly y WASI. En Wasmtime desde la versión 0.26.0 y versiones anteriores a 0.30.0, está afectado por una vulnerabilidad por falta de memoria. Se presentaba un error de lectura y escritura no válida y fuera de límites cuando se ejecutaba Wasm que usa "externref"s en Wasmtime. Para desencadenar este fallo, Wasmtime necesita estar ejecutando Wasm que usa "externref"s, el host crea "externrefs" no nulos, Wasmtime lleva a cabo una recolección de basura (GC), y tiene que presentar un marco Wasm en la pila que está en un punto de seguridad de GC donde no hay referencias vivas en este punto de seguridad, y presenta un punto de seguridad con referencias vivas antes en la función de este marco. Bajo este escenario, Wasmtime usaría incorrectamente el mapa de pila de la GC para el punto de seguridad de antes en la función en lugar del punto de seguridad vacío. Esto resultaría en que Wasmtime tratara ranuras de pila arbitrarias como "externref"s que debían ser enraizadas para la GC. En la *next* GC, se determinaría que nada hacía referencia a estas falsas "externref"s (porque nada podría hacer referencia a ellas, ya que no son realmente "externref"s) y entonces Wasmtime las desasignaría y ejecutaría "(ExternRef as Drop)::drop" sobre ellas. Esto resulta en una liberación de memoria que no está necesariamente en la pila (y no debería ser liberada en este momento incluso si lo estuviera), así como potenciales lecturas y escrituras fuera de límites. Aunque el soporte para "externref"s (por medio de la propuesta de tipos de referencia) está habilitado por defecto, a menos que estés creando "externref"s no nulos en tu código anfitrión o activando explícitamente GCs, no puedes ser afectado por este error. Tenemos razones para creer que el impacto efectivo de este bug es relativamente pequeño porque el uso de "externref" es actualmente bastante raro. Este bug ha sido parcheado y los usuarios deberían actualizar a la versión 0.30.0 de Wasmtime. Si no puedes actualizar Wasmtime en este momento, puedes evitar este bug al desactivar la propuesta de tipos de referencia pasando "false" a "wasmtime::Config::wasm_reference_types"

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-16 CVE Reserved
  • 2021-09-17 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-125: Out-of-bounds Read
  • CWE-590: Free of Memory not on the Heap
  • CWE-787: Out-of-bounds Write
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Bytecodealliance
Search vendor "Bytecodealliance"
Wasmtime
Search vendor "Bytecodealliance" for product "Wasmtime"
>= 0.26.0 < 0.30.0
Search vendor "Bytecodealliance" for product "Wasmtime" and version " >= 0.26.0 < 0.30.0"
rust
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected