Wasmtime GitHub notifications bot (Nov 16 2021 at 09:49): Wasmtime GitHub notifications bot (Nov 16 2021 at 09:49):ulan commented on issue #3509:
@alexcrichton: do you know if this bug has any security impact?
Wasmtime GitHub notifications bot (Nov 16 2021 at 15:20):alexcrichton commented on issue #3509:
@ulan this means that if arbitrary input is fed into
Module::newthen it can causeModule::newto panic, which can be a form of denial-of-service I believe, but I think that's the impact of this.
Wasmtime GitHub notifications bot (Nov 16 2021 at 16:14):ulan commented on issue #3509:
Thanks @alexcrichton. Sorry, I forgot to mention that in a test that I tired the panic happens only in the debug mode. Could it be that the assertion is enabled only in debug mode? If so, could the bug lead to something exploitable in release mode?
In any case, do you think it is worthwhile to merge the fix back in the last two released versions?
Wasmtime GitHub notifications bot (Nov 16 2021 at 16:17):alexcrichton commented on issue #3509:
Oh right sorry now I remember what I thought when I was originally thinking about this. Indeed yeah this is a debug assert so the assert doesn't happen in release mode, which means my previous comment is not actually correct because most embeddings are built in release mode.
I remember now though that my conclusion was that this would cause no issues. Nothing bad will happen for bad name section indices in reality and this was mostly just a debug check we needed to fixup. In that sense no need for security backports or anything.
Wasmtime GitHub notifications bot (Nov 16 2021 at 16:37):ulan commented on issue #3509:
Happy to hear that! Thanks @alexcrichton.
Last updated: Nov 22 2024 at 16:03 UTC