GHSA-RXHX-9FJ6-6H2M

Vulnerability from github – Published: 2022-06-16 23:53 – Updated: 2022-06-20 18:15
VLAI?
Summary
enum_map macro can cause UB when `Enum` trait is incorrectly implemented
Details

Affected versions of this crate did not properly check the length of an enum when using enum_map! macro, trusting user-provided length.

When the LENGTH in the Enum trait does not match the array length in the EnumArray trait, this can result in the initialization of the enum map with uninitialized types, which in turn can allow an attacker to execute arbitrary code.

This problem can only occur with a manual implementation of the Enum trait, it will never occur for enums that use #[derive(Enum)].

Example code that triggers this vulnerability looks like this:

enum E {
    A,
    B,
    C,
}

impl Enum for E {
    const LENGTH: usize = 2;

    fn from_usize(value: usize) -> E {
        match value {
            0 => E::A,
            1 => E::B,
            2 => E::C,
            _ => unimplemented!(),
        }
    }

    fn into_usize(self) -> usize {
        self as usize
    }
}

impl<V> EnumArray<V> for E {
    type Array = [V; 3];
}

let _map: EnumMap<E, String> = enum_map! { _ => "Hello, world!".into() };

The flaw was corrected in commit b824e23 by putting LENGTH property on sealed trait for macro to read.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "enum-map"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-2"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-16T23:53:32Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of this crate did not properly check the length of an enum when using `enum_map!` macro, trusting user-provided length.\n\nWhen the `LENGTH` in the `Enum` trait does not match the array length in the `EnumArray` trait, this can result in the initialization of the enum map with uninitialized types, which in turn can allow an attacker to execute arbitrary code.\n\nThis problem can only occur with a manual implementation of the Enum trait, it will never occur for enums that use `#[derive(Enum)]`.\n\nExample code that triggers this vulnerability looks like this:\n\n```rust\nenum E {\n    A,\n    B,\n    C,\n}\n\nimpl Enum for E {\n    const LENGTH: usize = 2;\n\n    fn from_usize(value: usize) -\u003e E {\n        match value {\n            0 =\u003e E::A,\n            1 =\u003e E::B,\n            2 =\u003e E::C,\n            _ =\u003e unimplemented!(),\n        }\n    }\n\n    fn into_usize(self) -\u003e usize {\n        self as usize\n    }\n}\n\nimpl\u003cV\u003e EnumArray\u003cV\u003e for E {\n    type Array = [V; 3];\n}\n\nlet _map: EnumMap\u003cE, String\u003e = enum_map! { _ =\u003e \"Hello, world!\".into() };\n```\n\nThe flaw was corrected in commit [b824e23](https://github.com/xfix/enum-map/commit/b824e232f2fb47837740070096ac253df8e80dfc) by putting `LENGTH` property on sealed trait for macro to read.\n",
  "id": "GHSA-rxhx-9fj6-6h2m",
  "modified": "2022-06-20T18:15:47Z",
  "published": "2022-06-16T23:53:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xfix/enum-map/commit/b824e232f2fb47837740070096ac253df8e80dfc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustsec/advisory-db/blob/main/crates/enum-map/RUSTSEC-2022-0010.md"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xfix/enum-map"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xfix/enum-map/blob/master/CHANGELOG.md#version-202"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/KonradBorowski/enum-map/-/blob/master/CHANGELOG.md#version-202"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0010.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "enum_map macro can cause UB when `Enum` trait is incorrectly implemented"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.