CVE-2024-47763: wasmtime has a runtime crash when combining tail calls with trapping imports
(updated )
Wasmtime’s implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later.
WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process. Wasmtime first enabled support for tail calls by default in Wasmtime 21.0.0, although that release contained a bug where it was only on-by-default for some configurations. In Wasmtime 22.0.0 tail calls were enabled by default for all configurations.
The specific crash happens when an exported function in a WebAssembly module (or component) performs a return_call (or return_call_indirect or return_call_ref) to an imported host function which captures a stack trace (for example, the host function raises a trap). In this situation, the stack-walking code previously assumed there was always at least one WebAssembly frame on the stack but with tail calls that is no longer true. With the tail-call proposal it’s possible to have an entry trampoline appear as if it directly called the exit trampoline. This situation triggers an internal assert in the stack-walking code which raises a Rust panic!().
When Wasmtime is compiled with Rust versions 1.80 and prior this means that an extern "C" function in Rust is raising a panic!(). This is technically undefined behavior and typically manifests as a process abort when the unwinder fails to unwind Cranelift-generated frames. When Wasmtime is compiled with Rust versions 1.81 and later this panic becomes a deterministic process abort.
Overall the impact of this issue is that this is a denial-of-service vector where a malicious WebAssembly module or component can cause the host to crash. There is no other impact at this time other than availability of a service as the result of the crash is always a crash and no more.
This issue was discovered by routine fuzzing performed by the Wasmtime project via Google’s OSS-Fuzz infrastructure. We have no evidence that it has ever been exploited by an attacker in the wild.
References
- docs.rs/wasmtime/latest/wasmtime/struct.Config.html
- github.com/WebAssembly/proposals
- github.com/advisories/GHSA-q8hx-mm92-4wvg
- github.com/bytecodealliance/wasmtime
- github.com/bytecodealliance/wasmtime/commit/0ebe54d05f0e1f6c64b7c8bb48c9e9f6c95cacba
- github.com/bytecodealliance/wasmtime/pull/6774
- github.com/bytecodealliance/wasmtime/pull/8540
- github.com/bytecodealliance/wasmtime/pull/8682
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q8hx-mm92-4wvg
- github.com/webassembly/tail-call
- nvd.nist.gov/vuln/detail/CVE-2024-47763
- rustsec.org/advisories/RUSTSEC-2024-0440.html
Code Behaviors & Features
Detect and mitigate CVE-2024-47763 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →