rustsec-2020-0161
Vulnerability from osv_rustsec
Published
2020-05-07 12:00
Modified
2023-06-13 13:10
Summary
`array!` macro is unsound in presence of traits that implement methods it calls internally
Details
Affected versions of this crate called some methods using auto-ref. The affected code looked like this.
let mut arr = $crate::__core::mem::MaybeUninit::uninit();
let mut vec = $crate::__ArrayVec::<T>::new(arr.as_mut_ptr() as *mut T);
In this case, the problem is that as_mut_ptr is a method of &mut MaybeUninit, not MaybeUninit. This made it possible for traits to hijack the method calls in order to cause unsoundness.
trait AsMutPtr<T> {
fn as_mut_ptr(&self) -> *mut T;
}
impl<T> AsMutPtr<T> for std::mem::MaybeUninit<T> {
fn as_mut_ptr(&self) -> *mut T {
std::ptr::null_mut()
}
}
array![0; 1];
The flaw was corrected by explicitly referencing variables in macro body in order to avoid auto-ref.
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption"
],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "array-macro",
"purl": "pkg:cargo/array-macro"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.2"
},
{
"fixed": "1.0.5"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-83gg-pwxf-jr89"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Affected versions of this crate called some methods using auto-ref. The affected code looked like this.\n\n```rust\nlet mut arr = $crate::__core::mem::MaybeUninit::uninit();\nlet mut vec = $crate::__ArrayVec::\u003cT\u003e::new(arr.as_mut_ptr() as *mut T);\n```\n\nIn this case, the problem is that `as_mut_ptr` is a method of `\u0026mut MaybeUninit`, not `MaybeUninit`. This made it possible for traits to hijack the method calls in order to cause unsoundness.\n\n```rust\ntrait AsMutPtr\u003cT\u003e {\n fn as_mut_ptr(\u0026self) -\u003e *mut T;\n}\nimpl\u003cT\u003e AsMutPtr\u003cT\u003e for std::mem::MaybeUninit\u003cT\u003e {\n fn as_mut_ptr(\u0026self) -\u003e *mut T {\n std::ptr::null_mut()\n }\n}\narray![0; 1];\n```\n\nThe flaw was corrected by explicitly referencing variables in macro body in order to avoid auto-ref.",
"id": "RUSTSEC-2020-0161",
"modified": "2023-06-13T13:10:24Z",
"published": "2020-05-07T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/array-macro"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0161.html"
},
{
"type": "WEB",
"url": "https://gitlab.com/KonradBorowski/array-macro/-/commit/01940637dd8f3bfeeee3faf9639fa9ae52f19f4d"
}
],
"related": [],
"severity": [],
"summary": "`array!` macro is unsound in presence of traits that implement methods it calls internally"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…