Wasmtime Winch Backend Table.grow Operator Typing Vulnerability Leading to Denial-of-Service

A vulnerability exists in Wasmtime versions 25.0.0 prior to 36.0.7, as well as 42.0.2 and 43.0.1, within the Winch compiler backend. The issue arises when the table.grow operator is translated, resulting in an incorrect type assignment for 32-bit tables. The operator's result is mistakenly labeled as a 64-bit value instead of the correct 32-bit representation. This misrepresentation can lead to further complications, particularly when the value is used in load operations, where it can incorrectly access bytes in the host's address space. Specifically, this vulnerability allows reading from or writing to the 16 bytes before linear memory, which are typically unmapped and inaccessible. Although Wasmtime's default Cranelift compiler avoids this issue, opting for Winch with the default settings can cause a denial-of-service by crashing the host process. The vulnerability is exacerbated by disabling guard pages before linear memory, potentially allowing a leak of up to 16 bytes of host data.

Impact

Exploitation of this vulnerability causes a denial-of-service by crashing the host process. It also introduces a correctness issue within the Winch compiler and a potential leak of up to 16 bytes of host data from the address space before linear memory.

Remediation

Users can upgrade to Wasmtime versions 36.0.7, 42.0.2, or 43.0.1, all of which include the necessary fix. If an immediate upgrade is not possible, users are advised to switch to the Cranelift compiler backend.