[37.0.x] Prevent using shared memories with Memory (#12019)

* Prevent using shared memories with `Memory`

This commit fixes a few issues where it was possible to represent a wasm
shared linear memory with the `wasmtime::Memory` type. This is not sound
because `wasmtime::Memory` provides safe Rust access to the bytes where
that is not possible with wasm shared memories. Shared memories in Rust
must be represented by `SharedMemory`, not `wasmtime::Memory`.

Specifically this commit prevents two vectors of this happening:

1. `Memory::new` now requires that the memory type specified is
   non-shared. Instead `SharedMemory::new` must be used instead.

2. Core dumps now skip over shared memories when iterating over all
   memories in the store. Supporting shared memories is a more invasive
   change and will happen on Wasmtime's `main` branch.

* CI fixes

Author: alexcrichton

RELEASES.md

@@ -1,3 +1,14 @@
+## 37.0.3
+
+Released 2025-11-11.
+
+### Fixed
+
+* Prevent using shared memories with `Memory`.
+  [CVE-2025-64345](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q)
+
+--------------------------------------------------------------------------------
+
 ## 37.0.2
 
 Released 2025-10-07.

crates/wasmtime/src/runtime/coredump.rs

@@ -41,7 +41,8 @@ impl WasmCoreDump {
     pub(crate) fn new(store: &mut StoreOpaque, backtrace: WasmBacktrace) -> WasmCoreDump {
         let modules: Vec<_> = store.modules().all_modules().cloned().collect();
         let instances: Vec<Instance> = store.all_instances().collect();
-        let store_memories: Vec<Memory> = store.all_memories().collect();
+        let mut store_memories: Vec<Memory> = store.all_memories().collect();
+        store_memories.retain(|m| !m.wasmtime_ty(store).shared);
 
         let mut store_globals: Vec<Global> = vec![];
         store.for_each_global(|_store, global| store_globals.push(global));
@@ -268,7 +269,12 @@ impl WasmCoreDump {
                     .all_memories(store.0)
                     .collect::<Vec<_>>()
                     .into_iter()
-                    .map(|(_i, memory)| memory_to_idx[&memory.hash_key(&store.0)])
+                    .map(|(_i, memory)| {
+                        memory_to_idx
+                            .get(&memory.hash_key(&store.0))
+                            .copied()
+                            .unwrap_or(u32::MAX)
+                    })
                     .collect::<Vec<_>>();
 
                 let globals = instance

crates/wasmtime/src/runtime/memory.rs

@@ -285,6 +285,9 @@ impl Memory {
         limiter: Option<&mut StoreResourceLimiter<'_>>,
         ty: MemoryType,
     ) -> Result<Memory> {
+        if ty.is_shared() {
+            bail!("shared memories must be created through `SharedMemory`")
+        }
         generate_memory_export(store, limiter, &ty, None).await
     }
 

crates/wast/Cargo.toml

@@ -15,7 +15,7 @@ workspace = true
 
 [dependencies]
 anyhow = { workspace = true }
-wasmtime = { workspace = true, features = ['cranelift', 'wat', 'runtime', 'gc', 'async'] }
+wasmtime = { workspace = true, features = ['cranelift', 'wat', 'runtime', 'gc', 'async', 'threads'] }
 wast = { workspace = true, features = ['dwarf'] }
 log = { workspace = true }
 tokio = { workspace = true, features = ['rt'] }

crates/wast/src/spectest.rs

@@ -80,7 +80,7 @@ pub fn link_spectest<T>(
 
     if config.use_shared_memory {
         let ty = MemoryType::shared(1, 1);
-        let memory = Memory::new(&mut *store, ty)?;
+        let memory = SharedMemory::new(store.engine(), ty)?;
         linker.define(&mut *store, "spectest", "shared_memory", memory)?;
     }
 

tests/all/coredump.rs

@@ -258,3 +258,36 @@ fn multiple_globals_memories_and_instances() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+#[cfg_attr(miri, ignore)]
+fn core_dump_with_shared_memory() -> Result<()> {
+    if super::threads::engine().is_none() {
+        return Ok(());
+    }
+    let mut config = Config::new();
+    config.coredump_on_trap(true);
+    let engine = Engine::new(&config)?;
+    let mut store = Store::new(&engine, ());
+    let wat = r#"(module
+        (memory 1 1 shared)
+        (func (export "foo") unreachable)
+        (data (i32.const 0) "a")
+    )"#;
+    let module = Module::new(&engine, wat)?;
+    let instance = Instance::new(&mut store, &module, &[])?;
+    let foo = instance.get_typed_func::<(), ()>(&mut store, "foo")?;
+    let err = foo.call(&mut store, ()).unwrap_err();
+    let coredump = err.downcast_ref::<WasmCoreDump>().unwrap();
+    assert!(coredump.memories().is_empty());
+
+    let bytes = coredump.serialize(&mut store, "howdy");
+    for payload in wasmparser::Parser::new(0).parse_all(&bytes) {
+        let payload = payload?;
+        if let wasmparser::Payload::DataSection(s) = payload {
+            assert_eq!(s.count(), 0);
+        }
+    }
+
+    Ok(())
+}

tests/all/threads.rs

@@ -295,3 +295,11 @@ fn test_memory_size_accessibility() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn create_shared_memory_through_memory() -> Result<()> {
+    let engine = Engine::default();
+    let mut store = Store::new(&engine, ());
+    assert!(Memory::new(&mut store, MemoryType::shared(1, 1)).is_err());
+    Ok(())
+}