[37.0.0] Fix externref/anyref ownership in C/C++ API (#11800)

* Fix externref/anyref ownership in C/C++ API

This commit is a follow-up to #11514 which was discovered through
failing tests in the wasmtime-py repository when updating to Wasmtime
37.0.0. This is a backport to the 37.0.x release branch which contains
the minimal infrastructure necessary to get to parity with `main` in
terms of avoiding leaks. Care is taken to avoid changing any public APIs
here which means that some previously-provided parameters are no longer
used, for example.

* Run `clang-format`

Author: alexcrichton

RELEASES.md

@@ -1,3 +1,14 @@
+## 37.0.2
+
+Released 2025-10-07.
+
+### Fixed
+
+* Fix a memory leak in the C API when using `anyref` or `externref`.
+  [CVE-2025-61670](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vvp9-h8p2-xwfc).
+
+--------------------------------------------------------------------------------
+
 ## 37.0.1
 
 Released 2025-09-23.
@@ -9,6 +20,8 @@ Released 2025-09-23.
   sign-extend instead.
   [#11734](https://github.com/bytecodealliance/wasmtime/pull/11734)
 
+--------------------------------------------------------------------------------
+
 ## 37.0.0
 
 Released 2025-09-20.

crates/c-api/include/wasmtime/func.hh

@@ -86,6 +86,14 @@ NATIVE_WASM_TYPE(double, F64, f64)
 template <> struct WasmType<std::optional<ExternRef>> {
   static const bool valid = true;
   static const ValKind kind = ValKind::ExternRef;
+  static void store(Store::Context cx, wasmtime_val_raw_t *p,
+                    std::optional<ExternRef> &&ref) {
+    if (ref) {
+      p->externref = ref->take_raw(cx);
+    } else {
+      p->externref = 0;
+    }
+  }
   static void store(Store::Context cx, wasmtime_val_raw_t *p,
                     const std::optional<ExternRef> &ref) {
     if (ref) {
@@ -129,6 +137,9 @@ template <typename T> struct WasmTypeList {
   static bool matches(ValType::ListRef types) {
     return WasmTypeList<std::tuple<T>>::matches(types);
   }
+  static void store(Store::Context cx, wasmtime_val_raw_t *storage, T &&t) {
+    WasmType<T>::store(cx, storage, t);
+  }
   static void store(Store::Context cx, wasmtime_val_raw_t *storage,
                     const T &t) {
     WasmType<T>::store(cx, storage, t);
@@ -169,6 +180,15 @@ template <typename... T> struct WasmTypeList<std::tuple<T...>> {
     size_t n = 0;
     return ((WasmType<T>::kind == types.begin()[n++].kind()) && ...);
   }
+  static void store(Store::Context cx, wasmtime_val_raw_t *storage,
+                    std::tuple<T...> &&t) {
+    size_t n = 0;
+    std::apply(
+        [&](auto &...val) {
+          (WasmType<T>::store(cx, &storage[n++], val), ...); // NOLINT
+        },
+        t);
+  }
   static void store(Store::Context cx, wasmtime_val_raw_t *storage,
                     const std::tuple<T...> &t) {
     size_t n = 0;

crates/c-api/include/wasmtime/val.hh

@@ -38,6 +38,34 @@ public:
   /// Creates a new `ExternRef` directly from its C-API representation.
   explicit ExternRef(wasmtime_externref_t val) : val(val) {}
 
+  /// Copy constructor to clone `other`.
+  ExternRef(const ExternRef &other) {
+    wasmtime_externref_clone(NULL, &other.val, &val);
+  }
+
+  /// Copy assignment to clone from `other`.
+  ExternRef &operator=(const ExternRef &other) {
+    wasmtime_externref_unroot(NULL, &val);
+    wasmtime_externref_clone(NULL, &other.val, &val);
+    return *this;
+  }
+
+  /// Move constructor to move the contents of `other`.
+  ExternRef(ExternRef &&other) {
+    val = other.val;
+    wasmtime_externref_set_null(&other.val);
+  }
+
+  /// Move assignment to move the contents of `other`.
+  ExternRef &operator=(ExternRef &&other) {
+    wasmtime_externref_unroot(NULL, &val);
+    val = other.val;
+    wasmtime_externref_set_null(&other.val);
+    return *this;
+  }
+
+  ~ExternRef() { wasmtime_externref_unroot(NULL, &val); }
+
   /// Creates a new `externref` value from the provided argument.
   ///
   /// Note that `val` should be safe to send across threads and should own any
@@ -54,9 +82,8 @@ public:
 
   /// Creates a new `ExternRef` which is separately rooted from this one.
   ExternRef clone(Store::Context cx) {
-    wasmtime_externref_t other;
-    wasmtime_externref_clone(cx.ptr, &val, &other);
-    return ExternRef(other);
+    (void)cx;
+    return *this;
   }
 
   /// Returns the underlying host data associated with this `ExternRef`.
@@ -66,12 +93,24 @@ public:
 
   /// Unroots this value from the context provided, enabling a future GC to
   /// collect the internal object if there are no more references.
-  void unroot(Store::Context cx) { wasmtime_externref_unroot(cx.ptr, &val); }
+  void unroot(Store::Context cx) {
+    (void)cx;
+    wasmtime_externref_unroot(NULL, &val);
+    wasmtime_externref_set_null(&val);
+  }
 
   /// Returns the raw underlying C API value.
   ///
   /// This class still retains ownership of the pointer.
   const wasmtime_externref_t *raw() const { return &val; }
+
+  /// Consumes ownership of the underlying `wasmtime_externref_t` and returns
+  /// the result of `wasmtime_externref_to_raw`.
+  uint32_t take_raw(Store::Context cx) {
+    uint32_t ret = wasmtime_externref_to_raw(cx.raw_context(), &val);
+    wasmtime_externref_set_null(&val);
+    return ret;
+  }
 };
 
 /**
@@ -86,6 +125,32 @@ public:
   /// Creates a new `AnyRef` directly from its C-API representation.
   explicit AnyRef(wasmtime_anyref_t val) : val(val) {}
 
+  /// Copy constructor to clone `other`.
+  AnyRef(const AnyRef &other) { wasmtime_anyref_clone(NULL, &other.val, &val); }
+
+  /// Copy assignment to clone from `other`.
+  AnyRef &operator=(const AnyRef &other) {
+    wasmtime_anyref_unroot(NULL, &val);
+    wasmtime_anyref_clone(NULL, &other.val, &val);
+    return *this;
+  }
+
+  /// Move constructor to move the contents of `other`.
+  AnyRef(AnyRef &&other) {
+    val = other.val;
+    wasmtime_anyref_set_null(&other.val);
+  }
+
+  /// Move assignment to move the contents of `other`.
+  AnyRef &operator=(AnyRef &&other) {
+    wasmtime_anyref_unroot(NULL, &val);
+    val = other.val;
+    wasmtime_anyref_set_null(&other.val);
+    return *this;
+  }
+
+  ~AnyRef() { wasmtime_anyref_unroot(NULL, &val); }
+
   /// Creates a new `AnyRef` which is an `i31` with the given `value`,
   /// truncated if the upper bit is set.
   static AnyRef i31(Store::Context cx, uint32_t value) {
@@ -96,14 +161,17 @@ public:
 
   /// Creates a new `AnyRef` which is separately rooted from this one.
   AnyRef clone(Store::Context cx) {
-    wasmtime_anyref_t other;
-    wasmtime_anyref_clone(cx.ptr, &val, &other);
-    return AnyRef(other);
+    (void)cx;
+    return *this;
   }
 
   /// Unroots this value from the context provided, enabling a future GC to
   /// collect the internal object if there are no more references.
-  void unroot(Store::Context cx) { wasmtime_anyref_unroot(cx.ptr, &val); }
+  void unroot(Store::Context cx) {
+    (void)cx;
+    wasmtime_anyref_unroot(NULL, &val);
+    wasmtime_anyref_set_null(&val);
+  }
 
   /// Returns the raw underlying C API value.
   ///
@@ -201,6 +269,7 @@ public:
     val.kind = WASMTIME_EXTERNREF;
     if (ptr) {
       val.of.externref = ptr->val;
+      wasmtime_externref_set_null(&ptr->val);
     } else {
       wasmtime_externref_set_null(&val.of.externref);
     }
@@ -210,6 +279,7 @@ public:
     val.kind = WASMTIME_ANYREF;
     if (ptr) {
       val.of.anyref = ptr->val;
+      wasmtime_anyref_set_null(&ptr->val);
     } else {
       wasmtime_anyref_set_null(&val.of.anyref);
     }
@@ -221,6 +291,35 @@ public:
   /// any`.
   Val(AnyRef ptr);
 
+  /// Copy constructor to clone `other`.
+  Val(const Val &other) { wasmtime_val_clone(NULL, &other.val, &val); }
+
+  /// Copy assignment to clone from `other`.
+  Val &operator=(const Val &other) {
+    wasmtime_val_unroot(NULL, &val);
+    wasmtime_val_clone(NULL, &other.val, &val);
+    return *this;
+  }
+
+  /// Move constructor to move the contents of `other`.
+  Val(Val &&other) {
+    val = other.val;
+    other.val.kind = WASMTIME_I32;
+    other.val.of.i32 = 0;
+  }
+
+  /// Move assignment to move the contents of `other`.
+  Val &operator=(Val &&other) {
+    wasmtime_val_unroot(NULL, &val);
+    val = other.val;
+    other.val.kind = WASMTIME_I32;
+    other.val.of.i32 = 0;
+    return *this;
+  }
+
+  /// Unroots the values in `val`, if any.
+  ~Val() { wasmtime_val_unroot(NULL, &val); }
+
   /// Returns the kind of value that this value has.
   ValKind kind() const {
     switch (val.kind) {
@@ -295,14 +394,15 @@ public:
   /// Note that `externref` is a nullable reference, hence the `optional` return
   /// value.
   std::optional<ExternRef> externref(Store::Context cx) const {
+    (void)cx;
     if (val.kind != WASMTIME_EXTERNREF) {
       std::abort();
     }
     if (wasmtime_externref_is_null(&val.of.externref)) {
       return std::nullopt;
     }
     wasmtime_externref_t other;
-    wasmtime_externref_clone(cx.ptr, &val.of.externref, &other);
+    wasmtime_externref_clone(NULL, &val.of.externref, &other);
     return ExternRef(other);
   }
 
@@ -312,14 +412,15 @@ public:
   /// Note that `anyref` is a nullable reference, hence the `optional` return
   /// value.
   std::optional<AnyRef> anyref(Store::Context cx) const {
+    (void)cx;
     if (val.kind != WASMTIME_ANYREF) {
       std::abort();
     }
     if (wasmtime_anyref_is_null(&val.of.anyref)) {
       return std::nullopt;
     }
     wasmtime_anyref_t other;
-    wasmtime_anyref_clone(cx.ptr, &val.of.anyref, &other);
+    wasmtime_anyref_clone(NULL, &val.of.anyref, &other);
     return AnyRef(other);
   }
 
@@ -331,7 +432,12 @@ public:
   std::optional<Func> funcref() const;
 
   /// Unroots any GC references this `Val` points to within the `cx` provided.
-  void unroot(Store::Context cx) { wasmtime_val_unroot(cx.ptr, &val); }
+  void unroot(Store::Context cx) {
+    (void)cx;
+    wasmtime_val_unroot(NULL, &val);
+    val.kind = WASMTIME_I32;
+    val.of.i32 = 0;
+  }
 };
 
 } // namespace wasmtime

crates/c-api/src/ref.rs

@@ -1,5 +1,6 @@
 use crate::{WasmtimeStoreContextMut, abort};
-use std::{mem::MaybeUninit, num::NonZeroU64, os::raw::c_void, ptr};
+use std::mem::{ManuallyDrop, MaybeUninit};
+use std::{num::NonZeroU64, os::raw::c_void, ptr};
 use wasmtime::{AnyRef, ExternRef, I31, OwnedRooted, Ref, RootScope, Val};
 
 /// `*mut wasm_ref_t` is a reference type (`externref` or `funcref`), as seen by
@@ -207,14 +208,26 @@ macro_rules! ref_wrapper {
                 ))
             }
 
-            pub unsafe fn from_wasmtime(self) -> Option<OwnedRooted<$wasmtime>> {
+            pub unsafe fn into_wasmtime(self) -> Option<OwnedRooted<$wasmtime>> {
+                ManuallyDrop::new(self).to_owned()
+            }
+
+            unsafe fn to_owned(&self) -> Option<OwnedRooted<$wasmtime>> {
                 let store_id = NonZeroU64::new(self.store_id)?;
                 Some(OwnedRooted::from_owned_raw_parts_for_c_api(
                     store_id, self.a, self.b, self.c,
                 ))
             }
         }
 
+        impl Drop for $c {
+            fn drop(&mut self) {
+                unsafe {
+                    let _ = self.to_owned();
+                }
+            }
+        }
+
         impl From<Option<OwnedRooted<$wasmtime>>> for $c {
             fn from(rooted: Option<OwnedRooted<$wasmtime>>) -> $c {
                 let mut ret = $c {
@@ -248,7 +261,7 @@ ref_wrapper!(ExternRef => wasmtime_externref_t);
 
 #[unsafe(no_mangle)]
 pub unsafe extern "C" fn wasmtime_anyref_clone(
-    _cx: WasmtimeStoreContextMut<'_>,
+    _cx: *mut u8,
     anyref: Option<&wasmtime_anyref_t>,
     out: &mut MaybeUninit<wasmtime_anyref_t>,
 ) {
@@ -258,11 +271,13 @@ pub unsafe extern "C" fn wasmtime_anyref_clone(
 
 #[unsafe(no_mangle)]
 pub unsafe extern "C" fn wasmtime_anyref_unroot(
-    _cx: WasmtimeStoreContextMut<'_>,
-    val: Option<&mut MaybeUninit<wasmtime_anyref_t>>,
+    _cx: *mut u8,
+    val: Option<&mut ManuallyDrop<wasmtime_anyref_t>>,
 ) {
-    if let Some(val) = val.and_then(|v| v.assume_init_read().from_wasmtime()) {
-        drop(val);
+    if let Some(val) = val {
+        unsafe {
+            ManuallyDrop::drop(val);
+        }
     }
 }
 
@@ -371,7 +386,7 @@ pub unsafe extern "C" fn wasmtime_externref_data(
 
 #[unsafe(no_mangle)]
 pub unsafe extern "C" fn wasmtime_externref_clone(
-    _cx: WasmtimeStoreContextMut<'_>,
+    _cx: *mut u8,
     externref: Option<&wasmtime_externref_t>,
     out: &mut MaybeUninit<wasmtime_externref_t>,
 ) {
@@ -381,11 +396,13 @@ pub unsafe extern "C" fn wasmtime_externref_clone(
 
 #[unsafe(no_mangle)]
 pub unsafe extern "C" fn wasmtime_externref_unroot(
-    _cx: WasmtimeStoreContextMut<'_>,
-    val: Option<&mut MaybeUninit<wasmtime_externref_t>>,
+    _cx: *mut u8,
+    val: Option<&mut ManuallyDrop<wasmtime_externref_t>>,
 ) {
-    if let Some(val) = val.and_then(|v| v.assume_init_read().from_wasmtime()) {
-        drop(val);
+    if let Some(val) = val {
+        unsafe {
+            ManuallyDrop::drop(val);
+        }
     }
 }