Wasmtime AVX x86-64 Copysign Instruction Load Vulnerability

A vulnerability exists in Wasmtime versions 29.0.0 prior to 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX. The issue arises in the compilation of the 'f64.copysign' WebAssembly instruction using Cranelift, where an incorrect load width can lead to out-of-bounds memory access. This miscompilation can cause a segmentation fault by reading from unmapped guard pages, or potentially expose out-of-sandbox data to WebAssembly guests if guard pages are disabled. The vulnerability is linked to how the 'copysign' operator is lowered, allowing for improper memory access that can crash the process or disrupt the WebAssembly sandboxing.

Impact

Exploitation of this vulnerability can cause a segmentation fault by accessing unmapped memory, leading to a crash. Additionally, it can disrupt the WebAssembly sandboxing by exposing out-of-bounds data to WebAssembly guests, unless there is a separate bug in Cranelift that prevents this data from being visible.

Reproduction

The vulnerability can be reproduced by loading a WebAssembly module that uses the 'f64.copysign' instruction into Wasmtime version 40.0.2 on an x86-64 platform with AVX support. This can be done by compiling the WebAssembly module with a target that includes the 'f64.copysign' instruction and then executing it in Wasmtime 40.0.2. The incorrect loading behavior can be verified by checking for a segmentation fault or an out-of-bounds memory access error.

Remediation

Users should upgrade to Wasmtime versions 36.0.5, 40.0.3, or 41.0.1, which have been patched to fix this vulnerability. Instructions for updating can be found in the Wasmtime release notes.