Wasmtime has a Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without guard pages which would mean that host memory beyond the end of linear memory may be read and interpreted as UTF-16. A host segfault is a denial-of-service vulnerability in Wasmtime, and possibly being able to read beyond the end of linear memory is additionally a vulnerability. Note that reading beyond the end of linear memory requires nonstandard configuration of Wasmtime, specifically with guard pages disabled. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

N/A

跨界内存读

wasmtime 缓冲区错误漏洞

wasmtime是Bytecode Alliance开源的一个轻量级WebAssembly运行时。 Wasmtime 24.0.7之前版本、36.0.7之前版本、42.0.2之前版本和43.0.1之前版本存在缓冲区错误漏洞，该漏洞源于将UTF-16字符串转码为latin1+utf16组件模型编码时，执行边界检查错误地验证了输入字符串的代码单元数而非字节长度，可能导致主机尝试转码不存在的字节时读取超出WebAssembly线性内存的末尾，在默认配置下会因段错误终止进程，构成拒绝服务漏洞，在禁用保护页的非标准

N/A

N/A