Wasmtime Host-to-Wasm Component Trampoline Segmentation Fault Vulnerability

A vulnerability in Wasmtime's handling of component-model related host-to-Wasm trampolines can lead to a crash of the host application. This issue is present in Wasmtime versions 38.0.0 prior to 38.0.3. The vulnerability arises because the component trampolines were not properly updated during a refactor that removed the use of 'setjmp' and 'longjmp' for stack unwinding. As a result, if an error occurs during the execution of WebAssembly, the missing runtime data can cause the host to segfault or hit an assert failure. Exploiting this vulnerability requires crafting a specific component and using a host embedder that invokes the right type signatures.

Impact

Exploitation of this vulnerability causes a segmentation fault or an assertion failure, crashing the host application.

Reproduction

To reproduce this vulnerability, create a component that, when called through a host-to-Wasm trampoline, triggers an error without the necessary runtime data being updated. This can be done by invoking specific component type signatures that the vulnerable trampolines do not handle correctly, such as those related to the 'resource.rep' intrinsic.

Remediation

Update to Wasmtime version 38.0.3, which has been patched to fix this vulnerability.