Fix a use-after-free of trampoline code #2408
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexcrichton
force-pushed
the
fix-use-after-free-trampoline
branch
from
4610d54
to
4c062b7
Compare
This commit removes the global variable associated with wasm traps which stores frame information. The only purpose of this global is to help symbolicate `Trap`s created since we support creating a `Trap` without a `Store`. The global, however, is only used for wasm frames on the stack, and when wasm frames are on the stack we know that our thread local for "what was the last context" is set and configured. The change here is to hijack this thread-local some more to effectively store the `Store` inside of it. All frame information is then moved directly into `Store` and no longer lives off on the side in a global. Additionally support for registering/unregistering modules is now simplified because once a module is registered with a store it can never be unregistered. This has one slight functional change where if there are two instances of `Store` interleaving calls to wasm code on the stack we'll only be able to symbolicate one of them instead of both. That's arguably also a feature however because this is sort of a way to leak information across stores right now. Otherwise, though, this isn't intended to change any existing logic, but instead keep everything working as-is.
This commit fixes an issue with wasmtime where it was possible for a trampoline from one module to get used for another module after it was freed. This issue arises because we register a module's native trampolines *before* it's fully instantiated, which is a fallible process. Some fallibility is predictable, such as import type mismatches, but other fallibility is less predictable, such as failure to allocate a linear memory. The problem happened when a module was registered with a `Store`, retaining information about its trampolines, but then instantiation failed and the module's code was never persisted within the `Store`. Unlike as documented in bytecodealliance#2374 the `Module` inside an `Instance` is not the primary way to hold on to a module's code, but rather the `Arc<ModuleCode>` is persisted within the global frame information off on the side. This persistence only made its way into the store through the `Box<Any>` field of `InstanceHandle`, but that's never made if instantiation fails during import matching. The fix here is to build on the refactoring of bytecodealliance#2407 to not store module code in frame information but rather explicitly in the `Store`. Registration is now deferred until just-before an instance handle is created, and during module registration we insert the `Arc<ModuleCode>` into a set stored within the `Store`.
alexcrichton
force-pushed
the
fix-use-after-free-trampoline
branch
from
4c062b7
to
f4c3622
Compare
github-actions
bot
added
the
wasmtime:api
Subscribe to Label Actioncc @peterhuene
This issue or pull request has been labeled: "wasmtime:api"
Thus the following users have been cc'd because of the following labels:
To subscribe or unsubscribe from this label, edit the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit fixes an issue with wasmtime where it was possible for a
trampoline from one module to get used for another module after it was
freed. This issue arises because we register a module's native
trampolines before it's fully instantiated, which is a fallible
process. Some fallibility is predictable, such as import type
mismatches, but other fallibility is less predictable, such as failure
to allocate a linear memory.
The problem happened when a module was registered with a
Store,retaining information about its trampolines, but then instantiation
failed and the module's code was never persisted within the
Store.Unlike as documented in #2374 the
Moduleinside anInstanceis notthe primary way to hold on to a module's code, but rather the
Arc<ModuleCode>is persisted within the global frame information offon the side. This persistence only made its way into the store through
the
Box<Any>field ofInstanceHandle, but that's never made ifinstantiation fails during import matching.
The fix here is to build on the refactoring of #2407 to not store module
code in frame information but rather explicitly in the
Store.Registration is now deferred until just-before an instance handle is
created, and during module registration we insert the
Arc<ModuleCode>into a set stored within the
Store.