CVE-2023-41880 in wasmtimeinfo

Summary

by MITRE • 09/15/2023

Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the `i64x2.shr_s` with a constant shift amount larger than 32 may produce an incorrect result. This issue is not an escape from the WebAssembly sandbox. Execution of WebAssembly guest programs will still behave correctly with respect to memory sandboxing and isolation from the host. Wasmtime considers non-spec-compliant behavior as a security issue nonetheless. This issue was discovered through fuzzing of Wasmtime's code generator Cranelift. Wasmtime versions 10.0.2, 11.0.2, and 12.0.2 are all patched to no longer have this miscompilation. This issue only affects x86_64 hosts and the only workaround is to either scan for this pattern in wasm modules which is nontrivial or to disable the SIMD proposal for WebAssembly. Users prior to 10.0.0 are unaffected by this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 10/12/2023

The vulnerability identified as CVE-2023-41880 affects the Wasmtime WebAssembly runtime, specifically targeting versions between 10.0.0 and 10.02, 11.0.2, and 12.0.1 on x86_64 platforms. This represents a critical miscompilation issue within the Cranelift code generator that handles WebAssembly instruction sets, particularly the `i64x2.shr_s` instruction used for signed right shifts on 64-bit integer vectors. The flaw manifests when constant shift amounts exceed 32 bits, creating a fundamental deviation from WebAssembly specification compliance that impacts only the x86_64 architecture while leaving other platforms unaffected. This vulnerability resides in the instruction-level optimization process where the runtime incorrectly processes the high 32-bits of the second lane during vector operations, instead properly deriving the low 32-bits from the high 32-bits of the input vector. The technical nature of this issue aligns with CWE-682, which describes incorrect computation or manipulation of data, and demonstrates how compiler optimizations can introduce subtle but significant deviations from expected behavior.

The operational impact of this vulnerability extends beyond simple computational errors to potentially compromise the reliability of WebAssembly applications that depend on precise vector arithmetic operations. While the vulnerability does not represent a sandbox escape or memory safety issue, it fundamentally undermines the correctness guarantees that WebAssembly programs expect from their execution environment. This miscompilation affects any application utilizing the `i64x2.shr_s` instruction with constant shift values exceeding 32 bits, which could include cryptographic implementations, multimedia processing, or scientific computing applications that rely on precise bit manipulation. The vulnerability was discovered through systematic fuzzing of the Cranelift code generator, highlighting the importance of rigorous testing of compiler optimizations and the potential for subtle issues to emerge from complex optimization passes. From an adversarial perspective, this vulnerability falls under ATT&CK technique T1059.007 for WebAssembly and could potentially be exploited to create subtle denial-of-service conditions or incorrect computation results that might be leveraged in more sophisticated attacks.

The mitigation strategy involves upgrading to patched versions of Wasmtime including 10.0.2, 11.0.2, and 12.0.2, which eliminate the miscompilation issue through corrected code generation logic. Alternative workarounds include disabling the SIMD proposal for WebAssembly, which removes the problematic instruction set entirely from execution, or implementing pattern scanning within WebAssembly modules to detect and potentially prevent execution of affected instructions. The vulnerability specifically affects only x86_64 hosts, making it a platform-specific issue that does not impact ARM64, RISC-V, or other architectures. Users running versions prior to 10.0.0 remain unaffected, indicating the flaw was introduced in the 10.0.0 release cycle and represents a regression in the runtime's handling of vector instructions. This vulnerability demonstrates the critical importance of maintaining specification compliance in runtime environments, particularly for systems that serve as foundational components for executing untrusted code, as non-compliant behavior while not immediately exploitable, still represents a significant risk to application correctness and can undermine trust in the execution environment.

Responsible

GitHub, Inc.

Reservation

09/04/2023

Disclosure

09/15/2023

Moderation

accepted

CPE

ready

EPSS

0.00605

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!