Move precompiled module detection into wasmtime (#5342)

* Treat `-` as an alias to `/dev/stdin` This applies to unix targets only, as Windows does not have an appropriate alternative. * Add tests for piped modules from stdin This applies to unix targets only, as Windows does not have an appropriate alternative. * Move precompiled module detection into wasmtime Previously, wasmtime-cli checked the module to be loaded is precompiled or not, by pre-opening the given file path to check if the "\x7FELF" header exists. This commit moves this branch into the `Module::from_trusted_file`, which is only invoked with `--allow-precompiled` flag on CLI. The initial motivation of the commit is, feeding a module to wasmtime from piped inputs, is blocked by the pre-opening of the module. The `Module::from_trusted_file`, assumes the --allow-precompiled flag so there is no piped inputs, happily mmap-ing the module to test if the header exists. If --allow-precompiled is not supplied, the existing `Module::from_file` will be used, without the additional header check as the precompiled modules are intentionally not allowed on piped inputs for security measures. One caveat of this approach is that the user may be confused if he or she tries to execute a precompiled module without --allow-precompiled, as wasmtime shows an 'input bytes aren't valid utf-8' error, not directly getting what's going wrong. So this commit includes a hack-ish workaround for this. Thanks to @jameysharp for suggesting this idea with a detailed guidance.
2022-12-02 02:13:39 +09:00
parent 37c3c5b1e0
commit ebb693aa18
4 changed files with 156 additions and 54 deletions
--- a/crates/wasmtime/src/engine.rs
+++ b/crates/wasmtime/src/engine.rs
@@ -600,7 +600,7 @@ impl Engine {
        self.load_code(MmapVec::from_slice(bytes)?, expected)
    }

-    /// Like `load_code_bytes`, but crates a mmap from a file on disk.
+    /// Like `load_code_bytes`, but creates a mmap from a file on disk.
    pub(crate) fn load_code_file(
        &self,
        path: &Path,
@@ -614,7 +614,7 @@ impl Engine {
        )
    }

-    fn load_code(&self, mmap: MmapVec, expected: ObjectKind) -> Result<Arc<CodeMemory>> {
+    pub(crate) fn load_code(&self, mmap: MmapVec, expected: ObjectKind) -> Result<Arc<CodeMemory>> {
        serialization::check_compatible(self, &mmap, expected)?;
        let mut code = CodeMemory::new(mmap)?;
        code.publish()?;
--- a/crates/wasmtime/src/module.rs
+++ b/crates/wasmtime/src/module.rs
@@ -332,8 +332,41 @@ impl Module {
        }
    }

-    /// Compiles a binary-encoded WebAssembly module to an artifact usable by
-    /// Wasmtime.
+    /// Creates a new WebAssembly `Module` from the contents of the given `file`
+    /// on disk, but with assumptions that the file is from a trusted source.
+    /// The file should be a binary- or text-format WebAssembly module, or a
+    /// precompiled artifact generated by the same version of Wasmtime.
+    ///
+    /// # Unsafety
+    ///
+    /// All of the reasons that [`deserialize`] is `unsafe` apply to this
+    /// function as well. Arbitrary data loaded from a file may trick Wasmtime
+    /// into arbitrary code execution since the contents of the file are not
+    /// validated to be a valid precompiled module.
+    ///
+    /// [`deserialize`]: Module::deserialize
+    ///
+    /// Additionally though this function is also `unsafe` because the file
+    /// referenced must remain unchanged and a valid precompiled module for the
+    /// entire lifetime of the [`Module`] returned. Any changes to the file on
+    /// disk may change future instantiations of the module to be incorrect.
+    /// This is because the file is mapped into memory and lazily loaded pages
+    /// reflect the current state of the file, not necessarily the origianl
+    /// state of the file.
+    #[cfg(compiler)]
+    #[cfg_attr(nightlydoc, doc(cfg(feature = "cranelift")))] // see build.rs
+    pub unsafe fn from_trusted_file(engine: &Engine, file: impl AsRef<Path>) -> Result<Module> {
+        let mmap = MmapVec::from_file(file.as_ref())?;
+        if &mmap[0..4] == b"\x7fELF" {
+            let code = engine.load_code(mmap, ObjectKind::Module)?;
+            return Module::from_parts(engine, code, None);
+        }
+
+        Module::new(engine, &*mmap)
+    }
+
+    /// Converts an input binary-encoded WebAssembly module to compilation
+    /// artifacts and type information.
    ///
    /// This is where compilation actually happens of WebAssembly modules and
    /// translation/parsing/validation of the binary input occurs. The binary