Port fix for CVE-2022-23636 to main. (#3818)

* Port fix for `CVE-2022-23636` to `main`. This commit ports the fix for `CVE-2022-23636` to `main`, but performs a refactoring that makes it unnecessary for the instance itself to track if it has been initialized; such a change was not targeted enough for a security patch. The pooling allocator will now only initialize an instance if all of its associated resource creation succeeds. If the resource creation fails, no instance is dropped as none was initialized. Also updates `RELEASES.md` to include the related patch releases. * Add `Instance::new_at` to fully initialize an instance. Added `Instance::new_at` to fully initialize an instance at a given address. This will hopefully prevent the possibility that an `Instance` structure doesn't have an initialized `VMContext` when it is dropped.
2022-02-16 15:51:14 -08:00
parent 96e32e98f8
commit ef17a36852
5 changed files with 449 additions and 356 deletions
--- a/RELEASES.md
+++ b/RELEASES.md
@@ -2,6 +2,26 @@

 --------------------------------------------------------------------------------

+## 0.34.1
+
+Released 2022-02-16.
+
+### Security Fixes
+
+* [CVE-2022-23636](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-88xq-w8cq-xfg7):
+  Fixed an invalid drop of a partially-initialized instance in the pooling instance
+  allocator.
+
+## 0.33.1
+
+Released 2022-02-16.
+
+### Security Fixes
+
+* [CVE-2022-23636](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-88xq-w8cq-xfg7):
+  Fixed an invalid drop of a partially-initialized instance in the pooling instance
+  allocator.
+
 ## 0.34.0

 Released 2022-02-07.