Iyo inogadzirisa inogadziridza Wasmtime 6.0.1, 5.0.1 uye 4.0.1 yakagadzirisa kusagadzikana (CVE-2023-26489), iyo yakapihwa nhanho yakaoma yengozi. Kusagadzikana kunobvumira kuti data inyorwe kunzvimbo yekuyeuka kunze kwemiganhu inotenderwa kune yega WebAssembly kodhi, iyo inogona kushandiswa neanorwisa kuita kodhi yavo kunze kweiyo yega yeWASI nharaunda.
Wasmtime inguva yekumhanya yekumhanyisa WebAssembly application neWASI (WebAssembly System Interface) yekuwedzera seyakajairwa yakamira-yega application. Iyo toolkit yakanyorwa mumutauro weRust, uye kusadzivirirwa kunokonzerwa nekanganiso ine musoro mukutsanangura mutsara ndangariro yekutaura mitemo muCranelift kodhi jenareta, iyo inodudzira inomiririra yepakati yakazvimirira yezvivakwa zvehardware kuita kodhi yemuchina weiyo x86_64 architecture.
Kunyanya, kune maapplication eWebAssembly, 35-bit kero inoshanda yakaverengerwa panzvimbo ye33-bit kero inotenderwa muWebAssembly, iyo yakashandura muganho weiyo chaiyo ndangariro inotenderwa kuverenga nekunyora mashandiro kuenda ku34 GB, nepo sandbox nharaunda inodzivirira 6GB kubva kukero yekutanga. Nekuda kweizvozvo, iyo chaiyo ndangariro inotangira kubva ku6 kusvika ku34 GB kubva kukero yekutanga yaivepo yekuverenga nekunyora kubva kuWebAssembly application. Iyi ndangariro inogona kugamuchira dzimwe WebAssembly nharaunda kana WebAssembly runtime zvikamu.
Kana zvisingaite kugadzirisa iyo Wasmtime vhezheni, basa rekuvharisa chikanganiso ndechekutsanangura iyo "Config::static_memory_maximum_size(0)" sarudzo yekugonesa kutarisa kwakasiyana kwese kwemutsara memory inowanikwa (zvichikonzera murango wakakosha wekuita) . Imwe sarudzo ndeye kushandisa "Config::static_memory_guard_size (1 <36)" kuseta kuwedzera huwandu hweMapeji evarindi (kusarudzika yakakandwa kana yawanikwa) yakaiswa mune inonetsa virtual memory range (zvichikonzera kuchengetedza yakakura yakawanda chaiyo ndangariro uye kudzikisira nhamba panguva imwe chete uchimhanyisa WebAssembly application).
Source: opennet.ru