Stellar Foundation has identified an out of bounds bug in Wasmi and reached out Parity AppSec team to do report on it. Please find the details below.
Affected System: Wasmi
Vulnerability Type: Design Flow
Severity: Critical
Version(s) Affected: < 0.31.1
Discovery Method: Direct Security Communication
Impact
The bug causes an out of bounds buffer write when calling or resuming a Wasm function with more than 128 parameters from the host side.
Remediation/Mitigation
Patched version has been already published here.
This is important for:
- Users of
wasmithat use functions with more than 128 parameters, and call those Wasm functions from their own host side. This is a very unlikely scenario since functions with such a high number of parameters are rather rare. - Users of
wasmithat allow external users to call Wasm functions with more than 128 parameters from the host side. This is a serious attack vector that is enabled by this vulnerability and which this fix closes. - Special note: Users of the [
pallet_contracts] such as Polkadot are not affected by this vulnerability since host to Wasm function calls with more than 128 parameters is not possible.
Team Involved
Stellar Foundation’s Engineering team, Parity’s AppSec and Wasmi team
Special Thanks
Special thanks to Stellar Development Foundation for reporting this bug.