Impact
Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host.
Wasmtime has a wasmtime::Memory type which represents linear memories in a WebAssembly module. Wasmtime also has wasmtime::SharedMemory, however, which represents shared linear memories introduced in the WebAssembly threads proposal. The API of SharedMemory does not provide accessors which return &[u8] in Rust, for example, as that's not a sound type signature when other threads could be modifying memory. The wasmtime::Memory type, however, does provide this API as it's intended to be used with non-shared memories where static knowledge is available that no concurrent or parallel reads or writes are happening. This means that it's not sound to represent a shared linear memory with wasmtime::Memory and it must instead be represented with wasmtime::SharedMemory.
There were two different, erroneous, methods of creating a wasmtime::Memory which represents a shared memory however:
- The
wasmtime::Memory::new constructor takes a MemoryType which could be shared. This function did not properly reject shared memory types and require usage of SharedMemory::new instead.
- Capturing a core dump with WebAssembly would expose all linear memories a
wasmtime::Memory. This means that a core dump would perform an unsynchronized read of shared linear memory, possibly leading to data races.
This is a bug in Wasmtime's safe Rust API. It should not be possible to cause unsoundness with Wasmtime's embedding API if unsafe is not used. Embeddings which do not use the wasm threads proposal nor created shared memories nor actually share shared memories across threads are unaffected. Only if shared memories are created across threads might an embedding be affected.
Patches
Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via Memory::new and shared memories are now excluded from core dumps.
Workarounds
Embeddings affected by this issue should use SharedMemory::new instead of Memory::new to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. It's recommended to upgrade to a patched version of Wasmtime, however.
References
Impact
Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host.
Wasmtime has a
wasmtime::Memorytype which represents linear memories in a WebAssembly module. Wasmtime also haswasmtime::SharedMemory, however, which represents shared linear memories introduced in the WebAssemblythreadsproposal. The API ofSharedMemorydoes not provide accessors which return&[u8]in Rust, for example, as that's not a sound type signature when other threads could be modifying memory. Thewasmtime::Memorytype, however, does provide this API as it's intended to be used with non-shared memories where static knowledge is available that no concurrent or parallel reads or writes are happening. This means that it's not sound to represent a shared linear memory withwasmtime::Memoryand it must instead be represented withwasmtime::SharedMemory.There were two different, erroneous, methods of creating a
wasmtime::Memorywhich represents a shared memory however:wasmtime::Memory::newconstructor takes aMemoryTypewhich could beshared. This function did not properly reject shared memory types and require usage ofSharedMemory::newinstead.wasmtime::Memory. This means that a core dump would perform an unsynchronized read of shared linear memory, possibly leading to data races.This is a bug in Wasmtime's safe Rust API. It should not be possible to cause unsoundness with Wasmtime's embedding API if
unsafeis not used. Embeddings which do not use the wasm threads proposal nor created shared memories nor actually share shared memories across threads are unaffected. Only if shared memories are created across threads might an embedding be affected.Patches
Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via
Memory::newand shared memories are now excluded from core dumps.Workarounds
Embeddings affected by this issue should use
SharedMemory::newinstead ofMemory::newto create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. It's recommended to upgrade to a patched version of Wasmtime, however.References
wasmtime::MemoryAPI documentationwasmtime::SharedMemoryAPI documentationwasmtime::Config::coredump_on_trapto enable/disable core dumps