Port fix for CVE-2022-23636 to main. (#3818)

* Port fix for `CVE-2022-23636` to `main`. This commit ports the fix for `CVE-2022-23636` to `main`, but performs a refactoring that makes it unnecessary for the instance itself to track if it has been initialized; such a change was not targeted enough for a security patch. The pooling allocator will now only initialize an instance if all of its associated resource creation succeeds. If the resource creation fails, no instance is dropped as none was initialized. Also updates `RELEASES.md` to include the related patch releases. * Add `Instance::new_at` to fully initialize an instance. Added `Instance::new_at` to fully initialize an instance at a given address. This will hopefully prevent the possibility that an `Instance` structure doesn't have an initialized `VMContext` when it is dropped.
2022-02-16 15:51:14 -08:00
parent 96e32e98f8
commit ef17a36852
5 changed files with 449 additions and 356 deletions
--- a/tests/all/pooling_allocator.rs
+++ b/tests/all/pooling_allocator.rs
@@ -548,3 +548,61 @@ fn multi_memory_with_imported_memories() -> Result<()> {

    Ok(())
 }
+
+#[test]
+fn drop_externref_global_during_module_init() -> Result<()> {
+    struct Limiter;
+
+    impl ResourceLimiter for Limiter {
+        fn memory_growing(&mut self, _: usize, _: usize, _: Option<usize>) -> bool {
+            false
+        }
+
+        fn table_growing(&mut self, _: u32, _: u32, _: Option<u32>) -> bool {
+            false
+        }
+    }
+
+    let mut config = Config::new();
+    config.wasm_reference_types(true);
+    config.allocation_strategy(InstanceAllocationStrategy::Pooling {
+        strategy: PoolingAllocationStrategy::NextAvailable,
+        module_limits: Default::default(),
+        instance_limits: InstanceLimits { count: 1 },
+    });
+
+    let engine = Engine::new(&config)?;
+
+    let module = Module::new(
+        &engine,
+        r#"
+            (module
+                (global i32 (i32.const 1))
+                (global i32 (i32.const 2))
+                (global i32 (i32.const 3))
+                (global i32 (i32.const 4))
+                (global i32 (i32.const 5))
+            )
+        "#,
+    )?;
+
+    let mut store = Store::new(&engine, Limiter);
+    drop(Instance::new(&mut store, &module, &[])?);
+    drop(store);
+
+    let module = Module::new(
+        &engine,
+        r#"
+            (module
+                (memory 1)
+                (global (mut externref) (ref.null extern))
+            )
+        "#,
+    )?;
+
+    let mut store = Store::new(&engine, Limiter);
+    store.limiter(|s| s);
+    assert!(Instance::new(&mut store, &module, &[]).is_err());
+
+    Ok(())
+}