WebAssembly Micro Runtime Out-of-Bounds Access Vulnerability in Fast Interpreter Mode

A moderate severity out-of-bounds array access vulnerability has been identified in WebAssembly Micro Runtime (WAMR) versions prior to 2.4.4. The issue arises in the fast interpreter mode during WASM bytecode loading. When the 'frame_ref_bottom' and 'frame_offset_bottom' arrays are full and a 'GET_GLOBAL(I32)' opcode is processed, the 'frame_ref_bottom' array is expanded, but the 'frame_offset_bottom' array may not be. If this situation is followed by an 'if' opcode that activates 'preserve_local_for_block', the function iterates through the arrays using 'stack_cell_num' as the upper limit. This can lead to an out-of-bounds access on 'frame_offset_bottom', as it was not expanded to correspond with the increased 'stack_cell_num'.

Impact

Exploitation of this vulnerability causes an unbalanced stack operation, leading to potential out-of-bounds access issues.

Reproduction

To reproduce this vulnerability, enable fast interpreter mode and load a WASM module containing a function that: 1. Performs multiple operations that fill the 'frame_ref_bottom' and 'frame_offset_bottom' arrays close to their capacity. 2. Includes a 'GET_GLOBAL' opcode that accesses an I32 global variable, which will increase the 'stack_cell_num' by 1. 3. Is immediately followed by an 'IF' opcode, which triggers the 'preserve_local_for_block' function, causing the out-of-bounds access on 'frame_offset_bottom'.

Remediation

Users can upgrade to WAMR version 2.4.4, where this vulnerability has been patched.