rustsec-2023-0042
Vulnerability from osv_rustsec
Published
2023-06-11 12:00
Modified
2023-07-08 12:30
Summary
Ouroboros is Unsound
Details

Summary

Ouroboros has a soundness problem, but a fix has been implemented in 0.16.0.

More details:

In 0.15.0, Ouroboros works internally by creating a struct where all uses of 'this are replaced by 'static. However, a recent addition to Miri checks that references passed to functions are valid during the entire execution of the function, even when those references are passed inside a struct. This poses an issue for dropping self-referencing values, as the reference becomes invalid during the dropping process. Effectively, since self-referencing structs are not allowed in vanilla Rust, there is no allowance for dropping data during a function that has also been given a reference to that data. There's usually no way to pass a and &a to the same function.

A fix was attempted, where the struct would be turned in to a raw byte array and only transformed back into the underlying data type inside each function. This is allowable as a reference can be created and die over the body of a function, as long as the reference was created inside the function. However, this is also not sound if the original struct contains padding. There is no way to initialize padding bytes to a known value that Miri will accept, so when it is cast to an array some of the bytes contain uninitialized values. This is not acceptable (despite the fact that these bytes are never read) due to the potential for optimizations that may read from the uninitialized bytes. Besides which, this fix does not allow for template or constant parameters as there is no way to check the size of a templated type without giving specific, concrete values for the template parameters.

The final solution was to use this fix while wrapping the raw byte array in MaybeUninit<>.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "ouroboros",
        "purl": "pkg:cargo/ouroboros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.16.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-87mf-9wg6-ppf8"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "## Summary\n\nOuroboros has a soundness problem, but a fix has been implemented in 0.16.0.\n\n## More details:\n\nIn 0.15.0, Ouroboros works internally by creating a struct where all \nuses of \u0027this are replaced by \u0027static. However, a recent addition to \nMiri checks that references passed to functions are valid during the \nentire execution of the function, even when those references are \npassed inside a struct. This poses an issue for dropping \nself-referencing values, as the reference becomes invalid during the \ndropping process. Effectively, since self-referencing structs are \nnot allowed in vanilla Rust, there is no allowance for dropping data\nduring a function that has also been given a reference to that data. \nThere\u0027s usually no way to pass a and \u0026a to the same function.\n\nA fix was attempted, where the struct would be turned in to a raw \nbyte array and only transformed back into the underlying data type \ninside each function. This is allowable as a reference can be \ncreated and die over the body of a function, as long as the \nreference was created inside the function. However, this is also \nnot sound if the original struct contains padding. There is no \nway to initialize padding bytes to a known value that Miri will \naccept, so when it is cast to an array some of the bytes contain \nuninitialized values. This is not acceptable (despite the fact \nthat these bytes are never read) due to the potential for \noptimizations that may read from the uninitialized bytes. Besides \nwhich, this fix does not allow for template or constant parameters \nas there is no way to check the size of a templated type without \ngiving specific, concrete values for the template parameters.\n\nThe final solution was to use this fix while wrapping the raw byte\narray in `MaybeUninit\u003c\u003e`.",
  "id": "RUSTSEC-2023-0042",
  "modified": "2023-07-08T12:30:19Z",
  "published": "2023-06-11T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/ouroboros"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0042.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/joshua-maros/ouroboros/issues/88"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Ouroboros is Unsound"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.