CVE-2021-32629

Name of the Vulnerable Software and Affected Versions Cranelift versions 0.73.0

Description There is a bug in the Cranelift x64 backend that can create a scenario resulting in a potential sandbox escape in a WebAssembly module. The bug performs a sign-extend instead of a zero-extend on a value loaded from the stack under specific circumstances. If these circumstances occur, the bug could allow access to memory addresses up to 2GiB before the start of the heap allocated for the WebAssembly module. The impact of this bug is highly dependent on heap implementation and is mitigated if there is no memory mapped in the range accessible using this bug. The issue would occur when an i32 value is greater than or equal to 0x8000 0000, the value is spilled and reloaded by the register allocator, the value is produced by a "special" instruction, the value is then zero-extended to 64 bits, and the resulting 64-bit value is used. Under these circumstances, there is a potential sandbox escape when the i32 value is a pointer.

Recommendations To resolve the issue, users of Cranelift version 0.73.0 should upgrade to either version 0.73.1 or 0.74. Users of Cranelift prior to 0.73.0 should update to 0.73.1 or 0.74 if they were not using the old default backend. As a temporary workaround, consider disabling the use of the new backend until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the i32 value in the affected API endpoint until the issue is resolved.