fkie_cve-2024-47813
Vulnerability from fkie_nvd
Published
2024-10-09 18:15
Modified
2024-10-10 12:51
Severity ?
2.9 (Low) - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
Summary
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release.
References
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/pull/7969
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`\u0027s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly\u0027s control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the \"References\" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see \"References\" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly\u0027s `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime\u0027s internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it\u0027s been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry\u0027s registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19\u0027s development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release."
    },
    {
      "lang": "es",
      "value": "Wasmtime es un entorno de ejecuci\u00f3n de c\u00f3digo abierto para WebAssembly. Bajo ciertas \u00f3rdenes de eventos concurrentes, el registro de tipos interno de `wasmtime::Engine` era susceptible a errores de doble anulaci\u00f3n de registro debido a una condici\u00f3n de ejecuci\u00f3n, lo que provocaba p\u00e1nicos y, potencialmente, corrupci\u00f3n del registro de tipos. Esa corrupci\u00f3n del registro podr\u00eda, despu\u00e9s de una secuencia adicional y particular de eventos concurrentes, provocar violaciones de la integridad del flujo de control (CFI) y la seguridad de tipos de WebAssembly. Los usuarios que no usan `wasmtime::Engine` en varios subprocesos no se ven afectados. Los usuarios que solo crean nuevos m\u00f3dulos en varios subprocesos a lo largo del tiempo tampoco se ven afectados. Para reproducir este error es necesario crear y eliminar varias instancias de tipo (como `wasmtime::FuncType` o `wasmtime::ArrayType`) simult\u00e1neamente en varios subprocesos, donde todos los tipos est\u00e1n asociados con el mismo `wasmtime::Engine`. **Los invitados de Wasm no pueden activar este error.** Consulte la secci\u00f3n \"Referencias\" a continuaci\u00f3n para obtener una lista de las API relacionadas con los tipos de Wasmtime que se ven afectadas. Wasmtime mantiene un registro interno de tipos dentro de un `wasmtime::Engine` y un motor se puede compartir entre subprocesos. Los tipos se pueden crear y referenciar mediante la creaci\u00f3n de un `wasmtime::Module`, la creaci\u00f3n de `wasmtime::FuncType` o una serie de otras API donde el host crea una funci\u00f3n (consulte \"Referencias\" a continuaci\u00f3n). Cada uno de estos casos interact\u00faa con un motor para deduplicar la informaci\u00f3n de tipo y administrar los \u00edndices de tipo que se utilizan para implementar las comprobaciones de tipo en la funci\u00f3n `call_indirect` de WebAssembly, por ejemplo. Este error es una condici\u00f3n de ejecuci\u00f3n en esta gesti\u00f3n donde el registro de tipo interno podr\u00eda estar da\u00f1ado para activar una aserci\u00f3n o contener un estado no v\u00e1lido. La representaci\u00f3n interna de Wasmtime de un tipo tiene tipos individuales (por ejemplo, uno por funci\u00f3n de host) que mantienen un recuento de registro de cu\u00e1ntas veces se ha utilizado. Los tipos tambi\u00e9n tienen un estado dentro de un motor detr\u00e1s de un bloqueo de lectura y escritura, como informaci\u00f3n de b\u00fasqueda o deduplicaci\u00f3n. La ejecuci\u00f3n aqu\u00ed es un error de tiempo de verificaci\u00f3n versus tiempo de uso (TOCTOU) donde un hilo disminuye at\u00f3micamente el recuento de registros de una entrada de tipo, observa cero registros y luego adquiere un bloqueo para anular el registro de esa entrada. Sin embargo, entre el momento en que este primer hilo observ\u00f3 el recuento de registros cero y el momento en que adquiere ese bloqueo, otro hilo podr\u00eda realizar la siguiente secuencia de eventos: volver a registrar otra copia del tipo, que deduplica esa misma entrada, resucit\u00e1ndola e incrementando su recuento de registros; luego, descartar el tipo y disminuir su recuento de registros; observar que el recuento de registros ahora es cero; adquirir el bloqueo de registro de tipo; y finalmente anular el registro del tipo. Ahora, cuando el hilo original finalmente adquiere el bloqueo y anula el registro de la entrada, es la segunda vez que se anula el registro de esta entrada. Este error se introdujo originalmente en el desarrollo de la propuesta de recolecci\u00f3n de elementos no utilizados de WebAssembly en Wasmtime 19. Sin embargo, este error afecta a los usuarios que no utilizan la propuesta de recolecci\u00f3n de elementos no utilizados y afecta a Wasmtime en su configuraci\u00f3n predeterminada incluso cuando la propuesta de recolecci\u00f3n de elementos no utilizados est\u00e1 deshabilitada. Los usuarios de Wasmtime que utilizan la versi\u00f3n 19.0.0 y posteriores se ven afectados por este problema. Hemos publicado las siguientes versiones de Wasmtime, todas las cuales tienen una soluci\u00f3n para este error: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. --- truncada ---"
    }
  ],
  "id": "CVE-2024-47813",
  "lastModified": "2024-10-10T12:51:56.987",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 2.9,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.3,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-09T18:15:09.120",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bytecodealliance/wasmtime/pull/7969"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-367"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.