Free of Memory not on the Heap

Summary

Wasmtime is an open-source runtime for WebAssembly & WASI. A memory unsoundness vulnerability affects wasmtime from versions 0.26.0 through 0.29.0. This vulnerability involves an invalid free and out-of-bounds read and write bug when running Wasm code that uses "externref"s in Wasmtime. To trigger this bug, Wasmtime must be running Wasm code using "externref"s, the host must create non-null "externrefs," and Wasmtime must perform a garbage collection (GC). Additionally, there must be a Wasm frame on the stack at a GC safepoint with no live references, alongside an earlier safepoint in the same function with live references. Under these conditions, Wasmtime incorrectly uses the GC stack map from the earlier safepoint instead of the empty one at the current safepoint. As a result, arbitrary stack slots are mistakenly treated as "externref"s requiring rooting for GC. At the next GC, these bogus "externref"s are determined to have no references, leading Wasmtime to deallocate them and invoke "<ExternRef as Drop>::drop". This results in freeing memory not allocated on the heap (or memory that should not be freed at that time), as well as potential out-of-bounds reads and writes. Support for "externref"s via the reference types proposal is enabled by default. However, unless non-null "externref"s are created in the host code or GCs are explicitly triggered, the vulnerability does not apply. The effective impact of this issue is considered small due to the rarity of "externref" usage. This bug has been patched, and users are advised to upgrade. If upgrading is not possible, the vulnerability can be mitigated by disabling the reference types proposal by passing "false" to "wasmtime::Config::wasm_reference_types".