Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch for CVE-2021-32629 to stable-v0.26 for security point release. #2919

Merged
merged 2 commits into from
May 21, 2021
Merged

Patch for CVE-2021-32629 to stable-v0.26 for security point release. #2919

merged 2 commits into from
May 21, 2021

Conversation

cfallin
Copy link
Member

@cfallin cfallin commented May 21, 2021

This PR is a cherrypick of the fix for the CVE (and related #2840) on top of the v0.26.0 release, using a new stable-v0.26 branch. Once this merges, I will version-bump and release v0.26.1 (and Cranelift v0.73.1) off of this branch.

bnjbvr and others added 2 commits May 20, 2021 18:44
@bnjbvr @cfallin
cranelift: always spill i32 with i64 stores;
fa2480b 
Fixes bytecodealliance#2839. See also the issue description and comments in this commits for
details of what the fix is about here.
@cfallin
Fix spillslot reload of narrow values: zero-extend, don't sign-extend.
89556bb 
Previously, the x64 backend's ABI code would generate a sign-extending
load when loading a less-than-64-bit integer from a spillslot. This is
incorrect: e.g., for i32s > 0x80000000, this would result in all high
bits set.

This interacts poorly with another optimization. Normally, the invariant
is that the high bits of a register holding a value of a certain type,
beyond that type's bits, are undefined. However, as an optimization, we
recognize and use the fact that on x86-64, 32-bit instructions zero the
upper 32 bits. This allows us to elide a 32-to-64-bit zero-extend op
(turning it into just a move, which can then sometimes disappear
entirely due to register coalescing).

If a spill and reload happen between the production of a 32-bit value
from an instruction known to zero the upper bits and its use, then we
will rely on zero upper bits that might actually be set by a
sign-extend. This will result in incorrect execution.

As a fix, we stick to a simple invariant: we always spill and reload a
full 64 bits when handling integer registers on x64. This ensures that
no bits are mangled.
@cfallin cfallin requested a review from iximeow May 21, 2021 19:12
alexcrichton
alexcrichton approved these changes May 21, 2021
View reviewed changes
Copy link
Member

@alexcrichton alexcrichton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want, wanna fold the version bumps into this as well to double-check?

iximeow
iximeow approved these changes May 21, 2021
View reviewed changes
Copy link
Contributor

@iximeow iximeow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for shepherding these fixes along!

@cfallin cfallin merged commit e481824 into bytecodealliance:stable-v0.26 May 21, 2021
@pchickey pchickey mentioned this pull request May 24, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iximeow iximeow iximeow approved these changes

@alexcrichton alexcrichton alexcrichton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cfallin @alexcrichton @iximeow @bnjbvr