Skip to content

Commit

Permalink
Merge pull request from GHSA-hpqh-2wqx-7qp5
Browse files Browse the repository at this point in the history
Fix spillslot reload of narrow values: zero-extend, don't sign-extend. Release v0.74.0 as security-patch release.
  • Loading branch information
cfallin authored May 21, 2021
2 parents 0f5bdc6 + 8845500 commit 95559c0
Show file tree
Hide file tree
Showing 60 changed files with 372 additions and 264 deletions.
102 changes: 51 additions & 51 deletions Cargo.lock

Large diffs are not rendered by default.

22 changes: 11 additions & 11 deletions Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "wasmtime-cli"
version = "0.26.0"
version = "0.27.0"
authors = ["The Wasmtime Project Developers"]
description = "Command-line interface for Wasmtime"
license = "Apache-2.0 WITH LLVM-exception"
Expand All @@ -22,16 +22,16 @@ doc = false

[dependencies]
# Enable all supported architectures by default.
wasmtime = { path = "crates/wasmtime", version = "0.26.0", default-features = false, features = ['cache'] }
wasmtime-cache = { path = "crates/cache", version = "0.26.0" }
wasmtime-debug = { path = "crates/debug", version = "0.26.0" }
wasmtime-environ = { path = "crates/environ", version = "0.26.0" }
wasmtime-jit = { path = "crates/jit", version = "0.26.0" }
wasmtime-obj = { path = "crates/obj", version = "0.26.0" }
wasmtime-wast = { path = "crates/wast", version = "0.26.0" }
wasmtime-wasi = { path = "crates/wasi", version = "0.26.0" }
wasmtime-wasi-crypto = { path = "crates/wasi-crypto", version = "0.26.0", optional = true }
wasmtime-wasi-nn = { path = "crates/wasi-nn", version = "0.26.0", optional = true }
wasmtime = { path = "crates/wasmtime", version = "0.27.0", default-features = false, features = ['cache'] }
wasmtime-cache = { path = "crates/cache", version = "0.27.0" }
wasmtime-debug = { path = "crates/debug", version = "0.27.0" }
wasmtime-environ = { path = "crates/environ", version = "0.27.0" }
wasmtime-jit = { path = "crates/jit", version = "0.27.0" }
wasmtime-obj = { path = "crates/obj", version = "0.27.0" }
wasmtime-wast = { path = "crates/wast", version = "0.27.0" }
wasmtime-wasi = { path = "crates/wasi", version = "0.27.0" }
wasmtime-wasi-crypto = { path = "crates/wasi-crypto", version = "0.27.0", optional = true }
wasmtime-wasi-nn = { path = "crates/wasi-nn", version = "0.27.0", optional = true }
structopt = { version = "0.3.5", features = ["color", "suggestions"] }
object = { version = "0.24.0", default-features = false, features = ["write"] }
anyhow = "1.0.19"
Expand Down
69 changes: 69 additions & 0 deletions RELEASES.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,88 @@

## Unreleased

## 0.27.0

Released 2021-05-21.

### Security Fixes

* Fixed a security issue in Cranelift's x64 backend that could result in a heap
sandbox escape due to an incorrect sign-extension:
[#2913](https://github.com/bytecodealliance/wasmtime/issues/2913).

### Added

* Support for IBM z/Archiecture (`s390x`) machines in Cranelift and Wasmtime:
[#2836](https://github.com/bytecodealliance/wasmtime/pull/2836),
[#2837](https://github.com/bytecodealliance/wasmtime/pull/2837),
[#2838](https://github.com/bytecodealliance/wasmtime/pull/2838),
[#2843](https://github.com/bytecodealliance/wasmtime/pull/2843),
[#2854](https://github.com/bytecodealliance/wasmtime/pull/2854),
[#2870](https://github.com/bytecodealliance/wasmtime/pull/2870),
[#2871](https://github.com/bytecodealliance/wasmtime/pull/2871),
[#2872](https://github.com/bytecodealliance/wasmtime/pull/2872),
[#2874](https://github.com/bytecodealliance/wasmtime/pull/2874).

* Improved async support in wasi-common runtime:
[#2832](https://github.com/bytecodealliance/wasmtime/pull/2832).

* Added `Store::with_limits`, `StoreLimits`, and `ResourceLimiter` to the
Wasmtime API to help with enforcing resource limits at runtime. The
`ResourceLimiter` trait can be implemented by custom resource limiters to
decide if linear memories or tables can be grown.

* Added `allow-unknown-exports` option for the run command:
[#2879](https://github.com/bytecodealliance/wasmtime/pull/2879).

* Added API to notify that a `Store` has moved to a new thread:
[#2822](https://github.com/bytecodealliance/wasmtime/pull/2822).

* Documented guidance around using Wasmtime in multithreaded contexts:
[#2812](https://github.com/bytecodealliance/wasmtime/pull/2812).
In the future, the Wasmtime API will change to allow some of its core types
to be Send/Sync; see the in-progress
[#2897](https://github.com/bytecodealliance/wasmtime/pull/2897) for details.

* Support calls from native code to multiple-return-value functions:
[#2806](https://github.com/bytecodealliance/wasmtime/pull/2806).

### Changed

* Breaking: `Memory::new` has been changed to return `Result` as creating a
host memory object is now a fallible operation when the initial size of
the memory exceeds the store limits.

### Fixed

* Many instruction selection improvements on x64 and aarch64:
[#2819](https://github.com/bytecodealliance/wasmtime/pull/2819),
[#2828](https://github.com/bytecodealliance/wasmtime/pull/2828),
[#2823](https://github.com/bytecodealliance/wasmtime/pull/2823),
[#2862](https://github.com/bytecodealliance/wasmtime/pull/2862),
[#2886](https://github.com/bytecodealliance/wasmtime/pull/2886),
[#2889](https://github.com/bytecodealliance/wasmtime/pull/2889),
[#2905](https://github.com/bytecodealliance/wasmtime/pull/2905).

* Improved performance of Wasmtime runtime substantially:
[#2811](https://github.com/bytecodealliance/wasmtime/pull/2811),
[#2818](https://github.com/bytecodealliance/wasmtime/pull/2818),
[#2821](https://github.com/bytecodealliance/wasmtime/pull/2821),
[#2847](https://github.com/bytecodealliance/wasmtime/pull/2847),
[#2900](https://github.com/bytecodealliance/wasmtime/pull/2900).

* Fixed WASI issue with file metadata on Windows:
[#2884](https://github.com/bytecodealliance/wasmtime/pull/2884).

* Fixed an issue with debug info and an underflowing (trapping) offset:
[#2866](https://github.com/bytecodealliance/wasmtime/pull/2866).

* Fixed an issue with unwind information in the old x86 backend:
[#2845](https://github.com/bytecodealliance/wasmtime/pull/2845).

* Fixed i32 spilling in x64 backend:
[#2840](https://github.com/bytecodealliance/wasmtime/pull/2840).

## 0.26.0

Released 2021-04-05.
Expand Down
28 changes: 14 additions & 14 deletions cranelift/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -15,27 +15,27 @@ path = "src/clif-util.rs"

[dependencies]
cfg-if = "1.0"
cranelift-codegen = { path = "codegen", version = "0.73.0" }
cranelift-entity = { path = "entity", version = "0.73.0" }
cranelift-interpreter = { path = "interpreter", version = "0.73.0" }
cranelift-reader = { path = "reader", version = "0.73.0" }
cranelift-frontend = { path = "frontend", version = "0.73.0" }
cranelift-serde = { path = "serde", version = "0.73.0", optional = true }
cranelift-wasm = { path = "wasm", version = "0.73.0", optional = true }
cranelift-native = { path = "native", version = "0.73.0" }
cranelift-codegen = { path = "codegen", version = "0.74.0" }
cranelift-entity = { path = "entity", version = "0.74.0" }
cranelift-interpreter = { path = "interpreter", version = "0.74.0" }
cranelift-reader = { path = "reader", version = "0.74.0" }
cranelift-frontend = { path = "frontend", version = "0.74.0" }
cranelift-serde = { path = "serde", version = "0.74.0", optional = true }
cranelift-wasm = { path = "wasm", version = "0.74.0", optional = true }
cranelift-native = { path = "native", version = "0.74.0" }
cranelift-filetests = { path = "filetests", version = "0.73.0" }
cranelift-module = { path = "module", version = "0.73.0" }
cranelift-object = { path = "object", version = "0.73.0" }
cranelift-jit = { path = "jit", version = "0.73.0" }
cranelift-preopt = { path = "preopt", version = "0.73.0" }
cranelift = { path = "umbrella", version = "0.73.0" }
cranelift-module = { path = "module", version = "0.74.0" }
cranelift-object = { path = "object", version = "0.74.0" }
cranelift-jit = { path = "jit", version = "0.74.0" }
cranelift-preopt = { path = "preopt", version = "0.74.0" }
cranelift = { path = "umbrella", version = "0.74.0" }
filecheck = "0.5.0"
log = "0.4.8"
termcolor = "1.1.2"
capstone = { version = "0.7.0", optional = true }
wat = { version = "1.0.36", optional = true }
target-lexicon = { version = "0.12", features = ["std"] }
peepmatic-souper = { path = "./peepmatic/crates/souper", version = "0.73.0", optional = true }
peepmatic-souper = { path = "./peepmatic/crates/souper", version = "0.74.0", optional = true }
pretty_env_logger = "0.4.0"
rayon = { version = "1", optional = true }
file-per-thread-logger = "0.1.2"
Expand Down
4 changes: 2 additions & 2 deletions cranelift/bforest/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[package]
authors = ["The Cranelift Project Developers"]
name = "cranelift-bforest"
version = "0.73.0"
version = "0.74.0"
description = "A forest of B+-trees"
license = "Apache-2.0 WITH LLVM-exception"
documentation = "https://docs.rs/cranelift-bforest"
Expand All @@ -12,7 +12,7 @@ keywords = ["btree", "forest", "set", "map"]
edition = "2018"

[dependencies]
cranelift-entity = { path = "../entity", version = "0.73.0", default-features = false }
cranelift-entity = { path = "../entity", version = "0.74.0", default-features = false }

[badges]
maintenance = { status = "experimental" }
16 changes: 8 additions & 8 deletions cranelift/codegen/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[package]
authors = ["The Cranelift Project Developers"]
name = "cranelift-codegen"
version = "0.73.0"
version = "0.74.0"
description = "Low-level code generator library"
license = "Apache-2.0 WITH LLVM-exception"
documentation = "https://docs.rs/cranelift-codegen"
Expand All @@ -13,19 +13,19 @@ build = "build.rs"
edition = "2018"

[dependencies]
cranelift-codegen-shared = { path = "./shared", version = "0.73.0" }
cranelift-entity = { path = "../entity", version = "0.73.0" }
cranelift-bforest = { path = "../bforest", version = "0.73.0" }
cranelift-codegen-shared = { path = "./shared", version = "0.74.0" }
cranelift-entity = { path = "../entity", version = "0.74.0" }
cranelift-bforest = { path = "../bforest", version = "0.74.0" }
hashbrown = { version = "0.9.1", optional = true }
target-lexicon = "0.12"
log = { version = "0.4.6", default-features = false }
serde = { version = "1.0.94", features = ["derive"], optional = true }
bincode = { version = "1.2.1", optional = true }
gimli = { version = "0.24.0", default-features = false, features = ["write"], optional = true }
smallvec = { version = "1.6.1" }
peepmatic = { path = "../peepmatic", optional = true, version = "0.73.0" }
peepmatic-traits = { path = "../peepmatic/crates/traits", optional = true, version = "0.73.0" }
peepmatic-runtime = { path = "../peepmatic/crates/runtime", optional = true, version = "0.73.0" }
peepmatic = { path = "../peepmatic", optional = true, version = "0.74.0" }
peepmatic-traits = { path = "../peepmatic/crates/traits", optional = true, version = "0.74.0" }
peepmatic-runtime = { path = "../peepmatic/crates/runtime", optional = true, version = "0.74.0" }
regalloc = { version = "0.0.31" }
souper-ir = { version = "2.1.0", optional = true }
wast = { version = "35.0.0", optional = true }
Expand All @@ -38,7 +38,7 @@ wast = { version = "35.0.0", optional = true }
criterion = "0.3"

[build-dependencies]
cranelift-codegen-meta = { path = "meta", version = "0.73.0" }
cranelift-codegen-meta = { path = "meta", version = "0.74.0" }

[features]
default = ["std", "unwind"]
Expand Down
6 changes: 3 additions & 3 deletions cranelift/codegen/meta/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[package]
name = "cranelift-codegen-meta"
authors = ["The Cranelift Project Developers"]
version = "0.73.0"
version = "0.74.0"
description = "Metaprogram for cranelift-codegen code generator library"
license = "Apache-2.0 WITH LLVM-exception"
repository = "https://github.com/bytecodealliance/wasmtime"
Expand All @@ -13,8 +13,8 @@ edition = "2018"
# rustdoc-args = [ "--document-private-items" ]

[dependencies]
cranelift-codegen-shared = { path = "../shared", version = "0.73.0" }
cranelift-entity = { path = "../../entity", version = "0.73.0" }
cranelift-codegen-shared = { path = "../shared", version = "0.74.0" }
cranelift-entity = { path = "../../entity", version = "0.74.0" }

[badges]
maintenance = { status = "experimental" }
2 changes: 1 addition & 1 deletion cranelift/codegen/shared/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[package]
authors = ["The Cranelift Project Developers"]
name = "cranelift-codegen-shared"
version = "0.73.0"
version = "0.74.0"
description = "For code shared between cranelift-codegen-meta and cranelift-codegen"
license = "Apache-2.0 WITH LLVM-exception"
repository = "https://github.com/bytecodealliance/wasmtime"
Expand Down
12 changes: 6 additions & 6 deletions cranelift/codegen/src/isa/x64/abi.rs
Original file line number Diff line number Diff line change
Expand Up @@ -317,19 +317,19 @@ impl ABIMachineSpec for X64ABIMachineSpec {
}

fn gen_load_stack(mem: StackAMode, into_reg: Writable<Reg>, ty: Type) -> Self::I {
let ext_kind = match ty {
// For integer-typed values, we always load a full 64 bits (and we always spill a full 64
// bits as well -- see `Inst::store()`).
let ty = match ty {
types::B1
| types::B8
| types::I8
| types::B16
| types::I16
| types::B32
| types::I32 => ExtKind::SignExtend,
types::B64 | types::I64 | types::R64 | types::F32 | types::F64 => ExtKind::None,
_ if ty.bytes() == 16 => ExtKind::None,
_ => panic!("load_stack({})", ty),
| types::I32 => types::I64,
_ => ty,
};
Inst::load(ty, mem, into_reg, ext_kind)
Inst::load(ty, mem, into_reg, ExtKind::None)
}

fn gen_store_stack(mem: StackAMode, from_reg: Reg, ty: Type) -> Self::I {
Expand Down
1 change: 1 addition & 0 deletions cranelift/codegen/src/isa/x64/inst/args.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1038,6 +1038,7 @@ impl fmt::Display for Avx512Opcode {
/// This defines the ways a value can be extended: either signed- or zero-extension, or none for
/// types that are not extended. Contrast with [ExtMode], which defines the widths from and to which
/// values can be extended.
#[allow(dead_code)]
#[derive(Clone, PartialEq)]
pub enum ExtKind {
None,
Expand Down
2 changes: 1 addition & 1 deletion cranelift/entity/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[package]
authors = ["The Cranelift Project Developers"]
name = "cranelift-entity"
version = "0.73.0"
version = "0.74.0"
description = "Data structures using entity references as mapping keys"
license = "Apache-2.0 WITH LLVM-exception"
documentation = "https://docs.rs/cranelift-entity"
Expand Down
12 changes: 6 additions & 6 deletions cranelift/filetests/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@ publish = false
edition = "2018"

[dependencies]
cranelift-codegen = { path = "../codegen", version = "0.73.0", features = ["testing_hooks"] }
cranelift-frontend = { path = "../frontend", version = "0.73.0" }
cranelift-interpreter = { path = "../interpreter", version = "0.73.0" }
cranelift-native = { path = "../native", version = "0.73.0" }
cranelift-reader = { path = "../reader", version = "0.73.0" }
cranelift-preopt = { path = "../preopt", version = "0.73.0" }
cranelift-codegen = { path = "../codegen", version = "0.74.0", features = ["testing_hooks"] }
cranelift-frontend = { path = "../frontend", version = "0.74.0" }
cranelift-interpreter = { path = "../interpreter", version = "0.74.0" }
cranelift-native = { path = "../native", version = "0.74.0" }
cranelift-reader = { path = "../reader", version = "0.74.0" }
cranelift-preopt = { path = "../preopt", version = "0.74.0" }
file-per-thread-logger = "0.1.2"
filecheck = "0.5.0"
gimli = { version = "0.24.0", default-features = false, features = ["read"] }
Expand Down
6 changes: 3 additions & 3 deletions cranelift/filetests/filetests/isa/x64/call-conv.clif
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ block0(
; nextln: movq %r8, %r11
; nextln: movq %r9, %r12
; nextln: movq 16(%rbp), %r13
; nextln: movslq 24(%rbp), %r14
; nextln: movq 24(%rbp), %r14
; nextln: movss 32(%rbp), %xmm8
; nextln: movsd 40(%rbp), %xmm9
; nextln: subq $$144, %rsp
Expand Down Expand Up @@ -236,7 +236,7 @@ block0:
; nextln: virtual_sp_offset_adjust 16
; nextln: lea 0(%rsp), %rdi
; nextln: call *%rsi
; nextln: movslq 0(%rsp), %rsi
; nextln: movq 0(%rsp), %rsi
; nextln: addq $$16, %rsp
; nextln: virtual_sp_offset_adjust -16
; nextln: movq %rsi, %rdx
Expand Down Expand Up @@ -282,7 +282,7 @@ block0:
; nextln: virtual_sp_offset_adjust 16
; nextln: lea 0(%rsp), %rdi
; nextln: call *%rsi
; nextln: movslq 0(%rsp), %rsi
; nextln: movq 0(%rsp), %rsi
; nextln: addq $$16, %rsp
; nextln: virtual_sp_offset_adjust -16
; nextln: movq %rdx, 0(%r12)
Expand Down
38 changes: 38 additions & 0 deletions cranelift/filetests/filetests/isa/x64/spill-reload.clif
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
test run
target x86_64
feature "experimental_x64"

function %f(i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32) -> i64 {
block0(v0: i32, v1: i32, v2: i32, v3: i32, v4: i32, v5: i32, v6: i32, v7: i32, v8: i32, v9: i32, v10: i32, v11: i32, v12: i32, v13: i32, v14: i32, v15: i32, v16: i32, v17: i32, v18: i32, v19: i32):
v20 = iadd.i32 v0, v1
v21 = iadd.i32 v2, v3
v22 = iadd.i32 v4, v5
v23 = iadd.i32 v6, v7
v24 = iadd.i32 v8, v9
v25 = iadd.i32 v10, v11
v26 = iadd.i32 v12, v13
v27 = iadd.i32 v14, v15
v28 = iadd.i32 v16, v17
v29 = iadd.i32 v18, v19

v30 = iadd.i32 v20, v21
v31 = iadd.i32 v22, v23
v32 = iadd.i32 v24, v25
v33 = iadd.i32 v26, v27
v34 = iadd.i32 v28, v29

v35 = iadd.i32 v30, v31
v36 = iadd.i32 v32, v33
v37 = iadd.i32 v35, v34
v38 = iadd.i32 v36, v37
;; v38 should be zero (due to wrapping).

v39 = iconst.i64 1
v40 = uextend.i64 v0 ;; should be reloaded from a spillslot
v41 = uextend.i64 v38
v42 = iadd.i64 v39, v40
v43 = iadd.i64 v42, v41
return v43
}

; run: %f(0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000) == 0x80000001
Loading

0 comments on commit 95559c0

Please sign in to comment.