Bring back Module::deserialize (#2858)

* Bring back `Module::deserialize` I thought I was being clever suggesting that `Module::deserialize` was removed from #2791 by funneling all module constructors into `Module::new`. As our studious fuzzers have found, though, this means that `Module::new` is not safe currently to pass arbitrary user-defined input into. Now one might pretty reasonable expect to be able to do that, however, being a WebAssembly engine and all. This PR as a result separates the `deserialize` part of `Module::new` back into `Module::deserialize`. This means that binary blobs created with `Module::serialize` and `Engine::precompile_module` will need to be passed to `Module::deserialize` to "rehydrate" them back into a `Module`. This restores the property that it should be safe to pass arbitrary input to `Module::new` since it's always expected to be a wasm module. This also means that fuzzing will no longer attempt to fuzz `Module::deserialize` which isn't something we want to do anyway. * Fix an example * Mark `Module::deserialize` as `unsafe`
2021-04-27 10:55:12 -05:00
parent 4a830b1159
commit 8384f3a347
10 changed files with 110 additions and 65 deletions
--- a/crates/wasmtime/src/engine.rs
+++ b/crates/wasmtime/src/engine.rs
@@ -160,8 +160,9 @@ impl Engine {
    ///   Note that the `wat` feature is enabled by default.
    ///
    /// This method may be used to compile a module for use with a different target
-    /// host. The output of this method may be used with [`Module::new`](crate::Module::new)
-    /// on hosts compatible with the [`Config`] associated with this [`Engine`].
+    /// host. The output of this method may be used with
+    /// [`Module::deserialize`](crate::Module::deserialize) on hosts compatible
+    /// with the [`Config`] associated with this [`Engine`].
    ///
    /// The output of this method is safe to send to another host machine for later
    /// execution. As the output is already a compiled module, translation and code
--- a/crates/wasmtime/src/module.rs
+++ b/crates/wasmtime/src/module.rs
@@ -121,9 +121,6 @@ impl Module {
    ///   This is only supported when the `wat` feature of this crate is enabled.
    ///   If this is supplied then the text format will be parsed before validation.
    ///   Note that the `wat` feature is enabled by default.
-    /// * A module serialized with [`Module::serialize`].
-    /// * A module compiled with [`Engine::precompile_module`] or the
-    ///   `wasmtime compile` command.
    ///
    /// The data for the wasm module must be loaded in-memory if it's present
    /// elsewhere, for example on disk. This requires that the entire binary is
@@ -182,11 +179,6 @@ impl Module {
    /// ```
    pub fn new(engine: &Engine, bytes: impl AsRef<[u8]>) -> Result<Module> {
        let bytes = bytes.as_ref();
-
-        if let Some(module) = SerializedModule::from_bytes(bytes)? {
-            return module.into_module(engine);
-        }
-
        #[cfg(feature = "wat")]
        let bytes = wat::parse_bytes(bytes)?;
        Self::from_binary(engine, &bytes)
@@ -258,10 +250,10 @@ impl Module {
    /// data.
    ///
    /// This is similar to [`Module::new`] except that it requires that the
-    /// `binary` input is a WebAssembly binary or a compiled module, the
-    /// text format is not supported by this function. It's generally
-    /// recommended to use [`Module::new`], but if it's required to not
-    /// support the text format this function can be used instead.
+    /// `binary` input is a WebAssembly binary, the text format is not supported
+    /// by this function. It's generally recommended to use [`Module::new`], but
+    /// if it's required to not support the text format this function can be
+    /// used instead.
    ///
    /// # Examples
    ///
@@ -286,10 +278,6 @@ impl Module {
    /// # }
    /// ```
    pub fn from_binary(engine: &Engine, binary: &[u8]) -> Result<Module> {
-        if let Some(module) = SerializedModule::from_bytes(binary)? {
-            return module.into_module(engine);
-        }
-
        // Check to see that the config's target matches the host
        let target = engine.config().isa_flags.triple();
        if *target != target_lexicon::Triple::host() {
@@ -329,6 +317,49 @@ impl Module {
        Self::from_parts(engine, modules, main_module, Arc::new(types), &[])
    }

+    /// Deserializes an in-memory compiled module previously created with
+    /// [`Module::serialize`] or [`Engine::precompile_module`].
+    ///
+    /// This function will deserialize the binary blobs emitted by
+    /// [`Module::serialize`] and [`Engine::precompile_module`] back into an
+    /// in-memory [`Module`] that's ready to be instantiated.
+    ///
+    /// # Unsafety
+    ///
+    /// This function is marked as `unsafe` because if fed invalid input or used
+    /// improperly this could lead to memory safety vulnerabilities. This method
+    /// should not, for example, be exposed to arbitrary user input.
+    ///
+    /// The structure of the binary blob read here is only lightly validated
+    /// internally in `wasmtime`. This is intended to be an efficient
+    /// "rehydration" for a [`Module`] which has very few runtime checks beyond
+    /// deserialization. Arbitrary input could, for example, replace valid
+    /// compiled code with any other valid compiled code, meaning that this can
+    /// trivially be used to execute arbitrary code otherwise.
+    ///
+    /// For these reasons this function is `unsafe`. This function is only
+    /// designed to receive the previous input from [`Module::serialize`] and
+    /// [`Engine::precompile_module`]. If the exact output of those functions
+    /// (unmodified) is passed to this function then calls to this function can
+    /// be considered safe. It is the caller's responsibility to provide the
+    /// guarantee that only previously-serialized bytes are being passed in
+    /// here.
+    ///
+    /// Note that this function is designed to be safe receiving output from
+    /// *any* compiled version of `wasmtime` itself. This means that it is safe
+    /// to feed output from older versions of Wasmtime into this function, in
+    /// addition to newer versions of wasmtime (from the future!). These inputs
+    /// will deterministically and safely produce an `Err`. This function only
+    /// successfully accepts inputs from the same version of `wasmtime`, but the
+    /// safety guarantee only applies to externally-defined blobs of bytes, not
+    /// those defined by any version of wasmtime. (this means that if you cache
+    /// blobs across versions of wasmtime you can be safely guaranteed that
+    /// future versions of wasmtime will reject old cache entries).
+    pub unsafe fn deserialize(engine: &Engine, bytes: impl AsRef<[u8]>) -> Result<Module> {
+        let module = SerializedModule::from_bytes(bytes.as_ref())?;
+        module.into_module(engine)
+    }
+
    fn from_parts(
        engine: &Engine,
        mut modules: Vec<Arc<CompiledModule>>,
--- a/crates/wasmtime/src/module/serialization.rs
+++ b/crates/wasmtime/src/module/serialization.rs
@@ -329,9 +329,9 @@ impl<'a> SerializedModule<'a> {
        Ok(bytes)
    }

-    pub fn from_bytes(bytes: &[u8]) -> Result<Option<Self>> {
+    pub fn from_bytes(bytes: &[u8]) -> Result<Self> {
        if !bytes.starts_with(HEADER) {
-            return Ok(None);
+            bail!("bytes are not a compatible serialized wasmtime module");
        }

        let bytes = &bytes[HEADER.len()..];
@@ -353,11 +353,9 @@ impl<'a> SerializedModule<'a> {
            );
        }

-        Ok(Some(
-            bincode_options()
-                .deserialize::<SerializedModule<'_>>(&bytes[1 + version_len..])
-                .context("deserialize compilation artifacts")?,
-        ))
+        Ok(bincode_options()
+            .deserialize::<SerializedModule<'_>>(&bytes[1 + version_len..])
+            .context("deserialize compilation artifacts")?)
    }

    fn check_triple(&self, isa: &dyn TargetIsa) -> Result<()> {