security: fix CVE-2021-38297

[rolandshoemaker]

When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.

This is issue #48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue.

[rolandshoemaker]

@gopherbot please backport to 1.16 and 1.17.

This is a security issue.

[gopherbot]

Backport issue(s) opened: #48799 (for 1.16), #48800 (for 1.17).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

[gopherbot]

Change https://golang.org/cl/354571 mentions this issue: misc/wasm, cmd/link: do not let command line args overwrite global data

[gopherbot]

Change https://golang.org/cl/354592 mentions this issue: misc/wasm, cmd/link: do not let command line args overwrite global data

[gopherbot]

Change https://golang.org/cl/354591 mentions this issue: misc/wasm, cmd/link: do not let command line args overwrite global data