4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31104

GHSA ID

GHSA-jqwc-c49r-4w2x

EPSS Score

0.69728%

CWE

CWE-682

Published

6/29/2022

Updated

3/14/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31104

CVE-2022-31104: Miscompilation of `i8x16.swizzle` and `select` with v128 inputs

Impact

Wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bugs were presented in the i8x16.swizzle and select WebAssembly instructions. The select instruction is only affected when the inputs are of v128 type. The correspondingly affected Cranelift instructions were swizzle and select.

The swizzle instruction lowering in Cranelift erroneously overwrote the mask input register which could corrupt a constant value, for example. This means that future uses of the same constant may see a different value than the constant itself.

The select instruction lowering in Cranelift wasn't correctly implemented for vector types that are 128-bits wide. When the condition was 0 the wrong instruction was used to move the correct input to the output of the instruction meaning that only the low 32 bits were moved and the upper 96 bits of the result were left as whatever the register previously contained (instead of the input being moved from). The select instruction worked correctly if the condition was nonzero, however.

This bug in Wasmtime's implementation of these instructions on x86_64 represents an incorrect implementation of the specified semantics of these instructions according to the WebAssembly specification. The impact of this is benign for hosts running WebAssembly but represents possible vulnerabilities within the execution of a guest program. For example a WebAssembly program could take unintended branches or materialize incorrect values internally which runs the risk of exposing the program itself to other related vulnerabilities which can occur from miscompilations.

Patches

We have released Wasmtime 0.38.1 and cranelift-codegen (and other associated cranelift crates) 0.85.1 which contain the corrected implementations of these two instructions in Cranelift.

Workarounds

If upgrading is not an option for you at this time, you can avoid the vulnerability by disabling the Wasm simd proposal

config.wasm_simd(false);

Additionally the bug is only present on x86_64 hosts. Other aarch64 hosts are not affected. Note that s390x hosts don't yet implement the simd proposal and are not affected.

References

For more information

If you have any questions or comments about this advisory:

Reach out to us on the Bytecode Alliance Zulip chat
Open an issue in the bytecodealliance/wasmtime repository

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31104

GHSA ID

GHSA-jqwc-c49r-4w2x

EPSS Score

0.69728%

CWE

CWE-682

Published

6/29/2022

Updated

3/14/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
wasmtime	rust	< 0.38.1	0.38.1
cranelift-codegen	rust	< 0.85.1	0.85.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two distinct issues in Cranelift's x64 backend:

For swizzle: The implementation incorrectly modified the mask input register (originally a read-only value), violating register handling conventions. This matches the pattern shown in PR #4318 where input registers were improperly cast as writable.
For select: The XmmCmove instruction handling used OperandSize::Size32/Size64 instead of proper 128-bit handling, as shown in PR #4317. When condition was zero, this led to partial register moves (only low 32 bits) instead of full 128-bit moves. Both functions are explicitly referenced in the vulnerability description and their fixes directly address these specific code paths in the x64 instruction lowering logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W*smtim*'s impl*m*nt*tion o* t** [SIM* propos*l *or W***ss*m*ly](*ttps://*it*u*.*om/w***ss*m*ly/sim*) on x**_** *ont*in** two *istin*t *u*s in t** instru*tion low*rin*s impl*m*nt** in *r*n*li*t. T** **r**** impl*m*nt*tion o* t** sim* prop

Reasoning

T** vuln*r**ility st*ms *rom two *istin*t issu*s in *r*n*li*t's x** ***k*n*: *. *or swizzl*: T** impl*m*nt*tion in*orr**tly mo*i*i** t** m*sk input r**ist*r (ori*in*lly * r***-only v*lu*), viol*tin* r**ist*r **n*lin* *onv*ntions. T*is m*t***s t** p*t

4.8

Basic Information

Concerned about an active attack path?

CVE-2022-31104: Miscompilation of `i8x16.swizzle` and `select` with v128 inputs

Impact

Patches

Workarounds

References

For more information

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI