CVE-2022-24791
Use after free in Wasmtime
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly disabling the Wasm reference types proposal (it is enabled by default) then you are also not affected. The use after free is caused by Cranelift failing to emit stack maps when there are safepoints inside cold blocks. Cold blocks occur when epoch interruption is enabled. Cold blocks are emitted at the end of compiled functions, and change the order blocks are emitted versus defined. This reordering accidentally caused Cranelift to skip emitting some stack maps because it expected to emit the stack maps in block definition order, rather than block emission order. When Wasmtime would eventually collect garbage, it would fail to find live references on the stack because of the missing stack maps, think that they were unreferenced garbage, and therefore reclaim them. Then after the collection ended, the Wasm code could use the reclaimed-too-early references, which is a use after free. Patches have been released in versions 0.34.2 and 0.35.2, which fix the vulnerability. All Wasmtime users are recommended to upgrade to these patched versions. If upgrading is not an option for you at this time, you can avoid the vulnerability by either: disabling the Wasm reference types proposal, config.wasm_reference_types(false); or by disabling epoch interruption if you were previously enabling it. config.epoch_interruption(false).
Wasmtime es un tiempo de ejecución independiente de estilo JIT para WebAssembly, usando Cranelift. Se presenta una vulnerabilidad de uso de memoria previamente liberada en Wasmtime cuando es ejecutado Wasm que usa externrefs y es habilitada la interrupción de época en Wasmtime. Si no está habilitando explícitamente la interrupción de época (está deshabilitada por defecto) entonces no está afectado. Si está deshabilitando explícitamente la propuesta de tipos de referencia de Wasm (está habilitada por defecto) entonces tampoco le afecta. El uso de memoria previamente liberada es causado por Cranelift que no emite mapas de pila cuando se presentan puntos de seguridad dentro de los bloques fríos. Los bloques fríos son producidos cuando la interrupción de la época está habilitada. Los bloques fríos son emitidos al final de las funciones compiladas, y cambian el orden en que son emitidos los bloques frente a los definidos. Esta reordenación causó accidentalmente que Cranelift omitiera la emisión de algunos mapas de pila porque esperaba emitir los mapas de pila en orden de definición de bloques, en lugar de en orden de emisión de bloques. Cuando Wasmtime recogía finalmente la basura, no encontraba referencias vivas en la pila debido a los mapas de pila faltantes, pensaba que eran basura no referenciada y, por tanto, los reclamaba. Entonces, una vez terminada la recolección, el código Wasm podía usar las referencias recuperadas demasiado pronto, lo cual es un uso de memoria previamente liberada. Han sido publicados parches en versiones 0.34.2 y 0.35.2, que corrigen la vulnerabilidad. Es recomendado a todos los usuarios de Wasmtime actualizar a estas versiones parcheadas. Si actualizar no es una opción para ti en este momento, puedes evitar la vulnerabilidad: deshabilitando la propuesta de tipos de referencia de Wasm, config.wasm_reference_types(false); o deshabilitando la interrupción de época si la estabas habilitando previamente. config.epoch_interruption(false)
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-03-31 CVE Published
- 2023-10-22 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gwc9-348x-qwv2 | Mitigation |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/bytecodealliance/wasmtime/commit/666c2554ea0e1728c35aa41178cf235920db888a | 2022-04-08 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Bytecodealliance Search vendor "Bytecodealliance" | Wasmtime Search vendor "Bytecodealliance" for product "Wasmtime" | >= 0.34.0 < 0.34.2 Search vendor "Bytecodealliance" for product "Wasmtime" and version " >= 0.34.0 < 0.34.2" | rust |
Affected
| ||||||
Bytecodealliance Search vendor "Bytecodealliance" | Wasmtime Search vendor "Bytecodealliance" for product "Wasmtime" | >= 0.35.0 < 0.35.2 Search vendor "Bytecodealliance" for product "Wasmtime" and version " >= 0.35.0 < 0.35.2" | rust |
Affected
|