Stream: git-wasmtime

Topic: wasmtime / issue #13211 release-24.0.0: x64 fcopysign sti...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 27 2026 at 19:38):

vulgraph opened issue #13211:

Looking at cranelift/codegen/src/isa/x64/lower.isle:4093 on release-24.0.0, the fcopysign lowering rules for $F32 and $F64 haven't been updated yet:

(rule (lower (has_type $F32 (fcopysign a @ (value_type $F32) b)))
      (let ((sign_bit Xmm (imm $F32 0x80000000)))
        (x64_orps
          (x64_andnps sign_bit a)
          (x64_andps sign_bit b))))

(rule (lower (has_type $F64 (fcopysign a @ (value_type $F64) b)))
      (let ((sign_bit Xmm (imm $F64 0x8000000000000000)))
        (x64_orpd
          (x64_andnpd sign_bit a)
          (x64_andpd sign_bit b))))

Upstream commit 728fa071 wraps a and b in (let ((a Xmm a)) ...) so a 128-bit load isn't sunk into the operand position — that sink is what causes the OOB read described in the 40.0.3 release notes. Without it, an f64.load feeding f64.copysign can read 16 bytes instead of 8 and segfault when signals-based traps are off.

Is there an intent to backport 728fa071 to release-24.0.0, or is this branch out of security support? Happy to file a PR if it's the former.

Best,
vulgraph

view this post on Zulip Wasmtime GitHub notifications bot (Apr 27 2026 at 19:47):

cfallin commented on issue #13211:

Thanks for filing this issue!

I'm actually somewhat perplexed looking at our internal discussions from this CVE: we agreed to patch v36, v40, v41, but somehow it never came up (and I will take primary responsibility for not realizing!) that we should have patched v24 as well, since it is still in LTS.

I'll do a backport and then do a version-bump release; thanks.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 27 2026 at 19:50):

cfallin commented on issue #13211:

(More precisely speaking: I'll do a backport and version-bump once GitHub Status is no longer red, perhaps tomorrow.)

view this post on Zulip Wasmtime GitHub notifications bot (Apr 27 2026 at 20:09):

cfallin commented on issue #13211:

I put up #13213 and we'll release this along with another upcoming security release (which also has backports to v24) on Thursday.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 28 2026 at 09:39):

vulgraph commented on issue #13211:

Thank you very much, @cfallin — really appreciate the quick turnaround and for opening #13213. I will keep an eye on Thursday's release. Cheers!

Last updated: May 03 2026 at 22:13 UTC