CVE-2022-31104: 
Rust vulnerability analysis and mitigation

Wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The bugs affected the i8x16.swizzle and select WebAssembly instructions (with the select instruction only affected when inputs are of v128 type). The vulnerability was discovered in June 2022 and assigned CVE-2022-31104. The issue affected Wasmtime versions prior to 0.38.1 and Cranelift versions prior to 0.85.1. The aarch64 implementation of the SIMD proposal was not affected (GitHub Advisory).

The vulnerability manifested in two distinct ways: 1) The swizzle instruction lowering in Cranelift erroneously overwrote the mask input register which could corrupt constant values, meaning future uses of the same constant may see different values than intended. 2) The select instruction lowering wasn't correctly implemented for 128-bit wide vector types - when the condition was 0, the wrong instruction was used to move the input, resulting in only the low 32 bits being moved while the upper 96 bits retained their previous values. The select instruction worked correctly if the condition was nonzero (GitHub Advisory).

The bug represented an incorrect implementation of the specified semantics according to the WebAssembly specification. While the impact was benign for hosts running WebAssembly, it created potential vulnerabilities within guest programs. WebAssembly programs could take unintended branches or materialize incorrect values internally, potentially exposing the program to other vulnerabilities that can occur from miscompilations (GitHub Advisory).

The issue was patched in Wasmtime version 0.38.1 and Cranelift version 0.85.1. For users unable to upgrade, a workaround was available by disabling the Wasm SIMD proposal using config.wasm_simd(false). The fixes were implemented through two separate pull requests that corrected the implementation of both affected instructions (GitHub Advisory).