RUSTSEC-2021-0067: 
Rust vulnerability analysis and mitigation

A critical vulnerability (RUSTSEC-2021-0067/CVE-2021-32629) was discovered in Cranelift's x64 backend affecting versions <= 0.73.0. The vulnerability, discovered in May 2021, involves a code generation flaw that could potentially lead to a WebAssembly module sandbox escape. The bug was introduced in the new backend on September 8, 2020, and was first included in a release on September 30, 2020, though the new backend wasn't the default prior to version 0.73.0 (GitHub Advisory).

The vulnerability stems from a bug that performs a sign-extend instead of a zero-extend on a value loaded from the stack when the register allocator reloads a spilled integer value narrower than 64 bits. This interacts with an optimization where the instruction selector elides a 32-to-64-bit zero-extend operator when an instruction producing a 32-bit value zeros the upper 32 bits of its destination register. The issue manifests when specific conditions are met: an i32 value is >= 0x8000_0000, the value is spilled and reloaded due to high register pressure, the value is produced by special instructions (add, sub, mul, and, or) that zero upper 32 bits, the value is zero-extended to 64 bits, and the resulting 64-bit value is used (GitHub Advisory).

When exploited, this vulnerability could allow access to memory addresses up to 2GiB before the start of the heap allocated for the WebAssembly module. If the heap bound is larger than 2GiB, it becomes possible to read memory from a computable range dependent on the heap's bound size. The impact varies based on heap implementation, particularly affecting systems where the heap has bounds checks and doesn't rely exclusively on guard pages, and where the heap bound is 2GiB or smaller (GitHub Advisory).

Users of Cranelift version 0.73.0 should upgrade to either version 0.73.1 or 0.74.0 to remediate this vulnerability. Users of Cranelift versions prior to 0.73.0 should update to 0.73.1 or 0.74 if they were not using the old default backend. The vulnerability's impact can be mitigated if there is no memory mapped in the range accessible using this bug, for example, if there is a 2 GiB guard region before the WebAssembly module heap (GitHub Advisory).

The bug was identified by developers at Fastly following a report from Javier Cabrera Arteaga at KTH Royal Institute of Technology, with support from project Trustful of Stiftelsen för Strategisk Forskning. Fastly committed to publishing a related Security Advisory to provide additional information about the vulnerability (GitHub Advisory).