Stream: git-wasmtime

Topic: wasmtime / issue #9660 MemoryImageSlot doesn't handle the...


view this post on Zulip Wasmtime GitHub notifications bot (Nov 22 2024 at 20:51):

sunshowers opened issue #9660:

Discovered this while working on #9652.

Looking at LocalMemory::new:

https://github.com/bytecodealliance/wasmtime/blob/bc656c72126ca3dcdc9477960b88a1816d2c09cb/crates/wasmtime/src/runtime/vm/memory.rs#L484-L487

It passes in alloc.byte_size() as the accessible parameter to MemoryImageSlot::create:

https://github.com/bytecodealliance/wasmtime/blob/bc656c72126ca3dcdc9477960b88a1816d2c09cb/crates/wasmtime/src/runtime/vm/cow.rs#L337-L345

self.accessible is not rounded up to the host page size and is instead stored directly. But other places assume that self.accessible is page-aligned, for example:

https://github.com/bytecodealliance/wasmtime/blob/bc656c72126ca3dcdc9477960b88a1816d2c09cb/crates/wasmtime/src/runtime/vm/cow.rs#L425

This ends up resolving to mprotect:

https://github.com/bytecodealliance/wasmtime/blob/bc656c72126ca3dcdc9477960b88a1816d2c09cb/crates/wasmtime/src/runtime/vm/sys/unix/vm.rs#L9-L11

mprotect requires that its address is page-aligned, and will produce an EINVAL if it isn't.

I think there are likely also places where it panics or possibly even causes UB.

view this post on Zulip Wasmtime GitHub notifications bot (Nov 22 2024 at 20:52):

sunshowers edited issue #9660:

Discovered this while working on #9652.

Looking at LocalMemory::new:

https://github.com/bytecodealliance/wasmtime/blob/bc656c72126ca3dcdc9477960b88a1816d2c09cb/crates/wasmtime/src/runtime/vm/memory.rs#L484-L487

It passes in alloc.byte_size() as the accessible parameter to MemoryImageSlot::create:

https://github.com/bytecodealliance/wasmtime/blob/bc656c72126ca3dcdc9477960b88a1816d2c09cb/crates/wasmtime/src/runtime/vm/cow.rs#L337-L345

self.accessible is not rounded up to the host page size and is instead stored directly. But other places assume that self.accessible is page-aligned, for example:

https://github.com/bytecodealliance/wasmtime/blob/bc656c72126ca3dcdc9477960b88a1816d2c09cb/crates/wasmtime/src/runtime/vm/cow.rs#L425

This ends up resolving to mprotect:

https://github.com/bytecodealliance/wasmtime/blob/bc656c72126ca3dcdc9477960b88a1816d2c09cb/crates/wasmtime/src/runtime/vm/sys/unix/vm.rs#L9-L11

mprotect requires that its address is page-aligned, and will produce an EINVAL if it isn't.

I think there are likely also places where it panics or possibly even causes UB.

view this post on Zulip Wasmtime GitHub notifications bot (Nov 22 2024 at 22:39):

sunshowers commented on issue #9660:

In Zulip we decided to:


Last updated: Dec 23 2024 at 12:05 UTC