CVE-2021-29945: 
NixOS vulnerability analysis and mitigation

CVE-2021-29945 is a vulnerability in Mozilla Firefox's WebAssembly JIT compiler that was discovered and disclosed in April 2021. The vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88, specifically on x86-32 platforms. The issue involves incorrect size computation in the WebAssembly JIT compiler that could lead to null-reads (Mozilla Advisory, NVD).

The vulnerability stems from a miscalculation in the WebAssembly JIT compiler where it incorrectly computes the size of a return type. Specifically, on x86-32 platforms, the compiler allocates insufficient space for float32 multi-value returns, leading to potential stack corruption. The issue occurs when the JIT compiler miscalculates the area size computation, resulting in a byteSize of 4 when it should be larger. This vulnerability has a CVSS v3.1 Base Score of 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

The vulnerability's impact is primarily limited to causing crashes through null-reads when specific WebAssembly code is executed. The issue only affects x86-32 platforms, with other platforms remaining unaffected. While the vulnerability could potentially be used to access memory through spoofed null pointers with large offsets, exploitation is considered difficult and unlikely (Mozilla Bug).

Mozilla addressed this vulnerability by releasing patches in Firefox 88, Firefox ESR 78.10, and Thunderbird 78.10. The fix involved correcting the area size computation in the WebAssembly JIT compiler to properly handle float32 return values (Mozilla Advisory, Mozilla Advisory).