Wasmtime 6.0.1, 5.0.1, and 4.0.1 corrective updates fix the vulnerability (CVE-2023-26489), which has been rated Critical. The vulnerability allows organizing data writing to a memory area outside the boundaries allowed for isolated WebAssembly code, which can potentially be used by an attacker to organize the execution of their code outside the isolated WASI environment.
Wasmtime is a runtime for running WebAssembly applications with WASI (WebAssembly System Interface) extensions as normal standalone applications. The toolkit is written in Rust, and the vulnerability is caused by a logical error in the definition of linear memory addressing rules in the Cranelift code generator, which translates an intermediate representation independent of hardware architectures into executable machine code for the x86_64 architecture.
In particular, 35-bit effective addresses were calculated for WebAssembly applications instead of 33-bit addresses allowed in WebAssembly, which shifted the limit of virtual memory allowed for read and write operations to 34 GB, while the sandbox environment settings provide protection for 6 GB from the base address. As a result, the range of virtual memory from 6 to 34 GB from the base address was available for reading and writing from WebAssembly applications. This memory can host other WebAssembly environments or WebAssembly runtime components.
If it is not possible to update the Wasmtime version, specifying the "Config::static_memory_maximum_size(0)" option to enable mandatory separate bounds checking on any linear memory access is mentioned as workarounds to block the error (results in significant performance degradation). Another option is to use the setting "Config::static_memory_guard_size(1 < 36)" to increase the number of guard pages (Guard Page, an exception is thrown when accessed) located in the problematic virtual memory range (leads to reserving a large amount of virtual memory and limiting the number concurrent WebAssembly applications).
Source: opennet.ru