CVE-2021-32629
published 2021-05-24CVE-2021-32629: Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable…
PriorityP343high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
EPSS
0.46%
36.2th percentile
Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a Wasm program. This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73. The recently-released version 0.73 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, under a specific set of circumstances. If those circumstances occur, the bug could allow access to memory addresses upto 2GiB before the start of the Wasm program heap. If the heap bound is larger than 2GiB, then it would be possible to read memory from a computable range dependent on the size of the heaps bound. The impact of this bug is highly dependent on heap implementation, specifically: * if the heap has bounds checks, and * does not rely exclusively on guard pages, and * the heap bound is 2GiB or smaller * then this bug cannot be used to reach memory from another Wasm program heap. The impact of the vulnerability is mitigated if there is no memory mapped in the range accessible using this bug, for example, if there is a 2 GiB guard region before the Wasm program heap. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, when the register allocator reloads a spilled integer value narrower than 64 bits. This interacts poorly with another optimization: the instruction selector elides a 32-to-64-bit zero-extend operator when we know that an instruction producing a 32-bit value actually zeros the upper 32 bits of its destination register. Hence, we rely on these zeroed bits, but the type of the value is st
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | cranelift-codegen | < 0.73.1 | 0.73.1 |
| bytecodealliance | cranelift-codegen | >= 0 < 0.73.1 | 0.73.1 |
| bytecodealliance | cranelift-codegen | >= 0.0.0-0 < 0.73.1 | 0.73.1 |
| bytecodealliance | wasmtime | <= 0.73.0 | — |
| bytecodealliance | wasmtime | >= 0 < 0.27.0 | 0.27.0 |
| bytecodealliance | wasmtime | >= 0 < 95559c01aaa7c061088a433040f31e8291fb09d0 | 95559c01aaa7c061088a433040f31e8291fb09d0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Memory access due to code generation flaw in Cranelift module
osv·2021-08-25
CVE-2021-32629 [HIGH] Memory access due to code generation flaw in Cranelift module
Memory access due to code generation flaw in Cranelift module
There is a bug in 0.73.0 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a WebAssembly module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1 or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0 should update to 0.73.1 or 0.74 if they were not using the old default backend.
### Description
This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73.0. The recently-released version 0.73.0 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs
GHSA
Memory access due to code generation flaw in Cranelift module
ghsa·2021-08-25
CVE-2021-32629 [HIGH] CWE-125 Memory access due to code generation flaw in Cranelift module
Memory access due to code generation flaw in Cranelift module
There is a bug in 0.73.0 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a WebAssembly module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1 or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0 should update to 0.73.1 or 0.74 if they were not using the old default backend.
### Description
This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73.0. The recently-released version 0.73.0 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs
OSV
CVE-2021-32629: Cranelift is an open-source code generator maintained by Bytecode Alliance
osv·2021-05-24
CVE-2021-32629 CVE-2021-32629: Cranelift is an open-source code generator maintained by Bytecode Alliance
Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a Wasm program. This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73. The recently-released version 0.73 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, under a specific set of circumstances. If those circumstances occur, the bug
OSV
Memory access due to code generation flaw in Cranelift module
osv·2021-05-21
CVE-2021-32629 Memory access due to code generation flaw in Cranelift module
Memory access due to code generation flaw in Cranelift module
There is a bug in 0.73.0 of the Cranelift x64 backend that can create a
scenario that could result in a potential sandbox escape in a WebAssembly
module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1
or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0
should update to 0.73.1 or 0.74 if they were not using the old default backend.
More details can be found in the GitHub Security Advisory at:
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://crates.io/crates/cranelift-codegenhttps://github.com/bytecodealliance/wasmtime/commit/95559c01aaa7c061088a433040f31e8291fb09d0https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5https://www.fastly.com/security-advisories/memory-access-due-to-code-generation-flaw-in-cranelift-modulehttps://crates.io/crates/cranelift-codegenhttps://github.com/bytecodealliance/wasmtime/commit/95559c01aaa7c061088a433040f31e8291fb09d0https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5https://www.fastly.com/security-advisories/memory-access-due-to-code-generation-flaw-in-cranelift-module
2021-05-24
Published