CVE-2022-31146— Wasmtime 资源管理错误漏洞

Use After Free in Wasmtime

Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to GC'd values, reclaiming them and deallocating them. The function will then subsequently continue to use the values assuming they had not been GC'd, leading later to a use-after-free. This bug was introduced in the migration to the `regalloc2` register allocator that occurred in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2. Mitigations for this issue can be achieved by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types` or downgrading to Wasmtime 0.36.0 or prior.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

释放后使用

Wasmtime 资源管理错误漏洞

Wasmtime是一个字节码联盟项目，它是一个独立的仅用于 WebAssembly 和 WASI 的 wasm 优化运行时。 Wasmtime 0.37.0版本的代码生成器Cranelift存在资源管理错误漏洞，该漏洞源于其开发者使用引用类型的函数可能错误地缺少运行时垃圾回收 （GC） 所需的元数据。这意味着，如果 GC 在运行时发生，则收集器会错误地认为某些 Wasm 堆栈帧没有对垃圾回收值的实时引用，因此会回收并解除分配它们。然后，该函数随后可以继续使用这些值，从而导致以后使用后释放的错误。

N/A

N/A