CVE-2023-41880: Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
Wasmtime versions from 10.0.0 to 12.0.1 contain a miscompilation of the WebAssembly i64x2.shr_s instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the i64x2.shr_s with a constant shift amount larger than 32 may produce an incorrect result.
This issue is not an escape from the WebAssembly sandbox. Execution of WebAssembly guest programs will still behave correctly with respect to memory sandboxing and isolation from the host. Wasmtime considers non-spec-compliant behavior as a security issue nonetheless.
This issue was discovered through fuzzing of Wasmtime’s code generator Cranelift.
References
- docs.rs/wasmtime/latest/wasmtime/struct.Config.html
- github.com/advisories/GHSA-gw5p-q8mj-p7gh
- github.com/bytecodealliance/wasmtime
- github.com/bytecodealliance/wasmtime/commit/8d7eda15b0badcbea83a7aac2d08f80788b59240
- github.com/bytecodealliance/wasmtime/pull/6372
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh
- nvd.nist.gov/vuln/detail/CVE-2023-41880
Detect and mitigate CVE-2023-41880 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →