Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
Description
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly i64x2.shr_s instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the i64x2.shr_s with a constant shift amount larger than 32 may produce an incorrect result.
This issue is not an escape from the WebAssembly sandbox. Execution of WebAssembly guest programs will still behave correctly with respect to memory sandboxing and isolation from the host. Wasmtime considers non-spec-compliant behavior as a security issue nonetheless.
This issue was discovered through fuzzing of Wasmtime's code generator Cranelift.
Wasmtime versions 10.0.2, 11.0.2, and 12.0.2 are all patched to no longer have this miscompilation. This issue only affects x86_64 hosts and the only workaround is to either scan for this pattern in wasm modules which is nontrivial or to disable the SIMD proposal for WebAssembly. Users prior to 10.0.0 are unaffected by this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wasmtimecrates.io | >= 10.0.0, < 10.0.2 | 10.0.2 |
wasmtimecrates.io | >= 11.0.0, < 11.0.2 | 11.0.2 |
wasmtimecrates.io | >= 12.0.0, < 12.0.2 | 12.0.2 |
Affected products
1- Range: >= 10.0.0, < 10.0.2
Patches
18d7eda15b0baMerge pull request from GHSA-gw5p-q8mj-p7gh
3 files changed · +54 −1
cranelift/codegen/src/isa/x64/lower.isle+1 −1 modified@@ -860,7 +860,7 @@ (high32 Xmm (x64_psrad vec (xmi_imm 31))) (high32 Xmm (x64_pshufd high32 0b11_10_11_01)) (low32 Xmm (x64_psrad vec (xmi_imm (u32_sub imm 32)))) - (low32 Xmm (x64_pshufd low32 0b11_10_10_01)) + (low32 Xmm (x64_pshufd low32 0b11_10_11_01)) ) (x64_punpckldq low32 high32)))
cranelift/filetests/filetests/runtests/simd-sshr.clif+2 −0 modified@@ -121,4 +121,6 @@ block0(v0: i64x2): ; run: %i64x2_sshr_const3([0x10000000000 0]) == [1 0] ; run: %i64x2_sshr_const3([-1 -1]) == [-1 -1] ; run: %i64x2_sshr_const3([0x8000000080000000 0x8000000080000000]) == [0xffffffffff800000 0xffffffffff800000] +; run: %i64x2_sshr_const3([0x2424242424244424 0x8b1b1b1bffffff24]) == [0x242424 0xffffffffff8b1b1b] +; run: %i64x2_sshr_const3([0x2424242424244424 0x1b1b1b1bffffff24]) == [0x242424 0x1b1b1b]
RELEASES.md+51 −0 modified@@ -137,6 +137,19 @@ Unreleased. -------------------------------------------------------------------------------- +## 12.0.2 + +Released 2023-09-14. + +### Fixed + +* [CVE-2023-41880] - Miscompilation of wasm `i64x2.shr_s` instruction with + constant input on x86\_64 + +[CVE-2023-41880]: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh + +-------------------------------------------------------------------------------- + ## 12.0.1 Released 2023-08-24 @@ -211,6 +224,31 @@ Released 2023-08-21 -------------------------------------------------------------------------------- +## 11.0.2 + +Released 2023-09-14. + +### Fixed + +* [CVE-2023-41880] - Miscompilation of wasm `i64x2.shr_s` instruction with + constant input on x86\_64 + +[CVE-2023-41880]: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh + +-------------------------------------------------------------------------------- + +## 11.0.1 + +Released 2023-07-24. + +### Fixed + +* Update some minimum version requirements for Wasmtime's dependencies to fix + building Wasmtime with historical versions of these dependencies. + [#6758](https://github.com/bytecodealliance/wasmtime/pull/6758) + +-------------------------------------------------------------------------------- + ## 11.0.0 Released 2023-07-20 @@ -271,6 +309,19 @@ Released 2023-07-20 -------------------------------------------------------------------------------- +## 10.0.2 + +Released 2023-09-14. + +### Fixed + +* [CVE-2023-41880] - Miscompilation of wasm `i64x2.shr_s` instruction with + constant input on x86\_64 + +[CVE-2023-41880]: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh + +-------------------------------------------------------------------------------- + ## 10.0.1 Released 2023-06-21
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-gw5p-q8mj-p7ghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41880ghsaADVISORY
- docs.rs/wasmtime/latest/wasmtime/struct.Config.htmlghsax_refsource_MISCWEB
- github.com/bytecodealliance/wasmtime/commit/8d7eda15b0badcbea83a7aac2d08f80788b59240ghsax_refsource_MISCWEB
- github.com/bytecodealliance/wasmtime/pull/6372ghsax_refsource_MISCWEB
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7ghghsax_refsource_CONFIRMWEB
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7ghghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2023-0091.htmlghsaWEB
News mentions
0No linked articles in our index yet.