Please see below for a Fastly Security Advisory (FSecA) outlining an investigation into CVE-2021-43790, a bug in Lucet, a dependency of Compute@Edge, disclosed in a recent Bytecode Alliance security advisory.
It's our goal in this Fastly Security Advisory to illustrate our knowledge about the bug discovered and the actions we have taken to prevent further possible impact to our customers.
On November 11th 2021, Fastly Engineering received alerts related to segmentation faults on Compute@Edge. Support teams were engaged and the customer impacted was informed of ongoing investigations into the source of the issue. Fastly investigations have not identified additional impact outside of the single case disclosed in this advisory.
A bug in the main branch of Lucet’s lucet-runtime that allowed a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. This bug had been introduced early in the development of Lucet and was present in all releases. As a result of this bug, and dependent on the memory backing for the Instance objects, it made it possible to trigger a use-after-free when the Instance is dropped.
Lucet uses a "pool" allocator for new WebAssembly (wasm) instances that are created. This pool allocator manages everything from the linear memory of the wasm instance, the runtime stack for async switching, as well as the memory behind the Instance itself. Instances are referred to via an InstanceHandle type which will, on drop, release the memory backing the Instance back to the pool.
When an Instance is dropped, the fields of the Instance are destructed top-to-bottom, however when the alloc: Alloc field is destructed, the memory backing the Instance is released back to the pool before the destructors of the remaining fields are run. If another thread allocates the same memory from the pool while these destructors are still running, a race condition occurs that can lead to use-after-free errors.
It was not possible to identify the nature of the crashes until we were able to reliably reproduce the crashes in a controlled environment by simulating a significant amount of load. Once the crashes were reproduced reliably we were able to identify the issue and remediate the vulnerability.
This security advisory applies to customers who are using Compute@Edge.
The bug was corrected by changing how the InstanceHandle destructor operates to ensure that the memory backing an Instance is only returned to the pool once the Instance has been completely destroyed. No action by customers is required.