Miggo Logo

CVE-2022-31104: Miscompilation of `i8x16.swizzle` and `select` with v128 inputs

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.69728%
Published
6/29/2022
Updated
3/14/2024
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
wasmtimerust< 0.38.10.38.1
cranelift-codegenrust< 0.85.10.85.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two distinct issues in Cranelift's x64 backend:

  1. For swizzle: The implementation incorrectly modified the mask input register (originally a read-only value), violating register handling conventions. This matches the pattern shown in PR #4318 where input registers were improperly cast as writable.
  2. For select: The XmmCmove instruction handling used OperandSize::Size32/Size64 instead of proper 128-bit handling, as shown in PR #4317. When condition was zero, this led to partial register moves (only low 32 bits) instead of full 128-bit moves. Both functions are explicitly referenced in the vulnerability description and their fixes directly address these specific code paths in the x64 instruction lowering logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W*smtim*'s impl*m*nt*tion o* t** [SIM* propos*l *or W***ss*m*ly](*ttps://*it*u*.*om/w***ss*m*ly/sim*) on x**_** *ont*in** two *istin*t *u*s in t** instru*tion low*rin*s impl*m*nt** in *r*n*li*t. T** **r**** impl*m*nt*tion o* t** sim* prop

Reasoning

T** vuln*r**ility st*ms *rom two *istin*t issu*s in *r*n*li*t's x** ***k*n*: *. *or swizzl*: T** impl*m*nt*tion in*orr**tly mo*i*i** t** m*sk input r**ist*r (ori*in*lly * r***-only v*lu*), viol*tin* r**ist*r **n*lin* *onv*ntions. T*is m*t***s t** p*t