saulecabrera opened PR #9156 from saulecabrera:fix-oob-dynamic-heaps
to bytecodealliance:main
:
This commit fixes and edge case for bounds checks for dynamic heaps.
https://github.com/bytecodealliance/wasmtime/pull/8157/files erroneously tied the bounds check operation (more concretely the overflow check) to the size derived from from the heap type. Even though offsets and access sizes are validated ahead-of-time and bound to the heap type, in the case of overflow checking, we must ensure that the operation size is tied to the target's pointer size to avoid clamping the access size and offset addition, which would result in missing an out-of-bounds memory access.
This commit also adds a disassembly test to avoid introducing regressions in the future.
Additionally, this commit adds more comments around why
pointer_size
is used for certain bounds checking operations.<!--
Please make sure you include the following information:
If this work has been discussed elsewhere, please include a link to that
conversation. If it was discussed in an issue, just mention "issue #...".Explain why this change is needed. If the details are in an issue already,
this can be brief.Our development process is documented in the Wasmtime book:
https://docs.wasmtime.dev/contributing-development-process.htmlPlease ensure all communication follows the code of conduct:
https://github.com/bytecodealliance/wasmtime/blob/main/CODE_OF_CONDUCT.md
-->
saulecabrera requested abrown for a review on PR #9156.
saulecabrera requested wasmtime-compiler-reviewers for a review on PR #9156.
saulecabrera requested alexcrichton for a review on PR #9156.
saulecabrera requested wasmtime-core-reviewers for a review on PR #9156.
saulecabrera updated PR #9156.
alexcrichton submitted PR review.
saulecabrera has enabled auto merge for PR #9156.
saulecabrera merged PR #9156.
Last updated: Dec 23 2024 at 12:05 UTC