rustsec-2024-0018
Vulnerability from osv_rustsec
Published
2024-02-27 12:00
Modified
2024-04-11 16:16
Summary
ObjectPool creates uninitialized memory when freeing objects
Details
As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its type parameter when it attempts to free an object, and swaps it into the storage. This causes instant undefined behavior due to reading the uninitialized memory in order to write it to the pool storage.
Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:
use crayon::prelude::*;
application::oneshot().unwrap();
let mut params = MeshParams::default();
let mesh = video::create_mesh(params, None).unwrap();
// Deletes the mesh object.
video::delete_mesh(mesh); // <-- UB
The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.
Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"crayon::utils::object_pool::ObjectPool\u003cH,T\u003e::free"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "crayon",
"purl": "pkg:cargo/crayon"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-xfhw-6mc4-mgxf"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its\ntype parameter when it attempts to free an object, and swaps it into the storage. This\ncauses instant undefined behavior due to reading the uninitialized memory in order to\nwrite it to the pool storage.\n\nExtremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:\n\n```rust\nuse crayon::prelude::*;\napplication::oneshot().unwrap();\n\nlet mut params = MeshParams::default();\n\nlet mesh = video::create_mesh(params, None).unwrap();\n\n// Deletes the mesh object.\nvideo::delete_mesh(mesh); // \u003c-- UB\n```\n\nThe Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.\n\nDiscovered via https://asan.saethlin.dev/ub?crate=crayon\u0026version=0.7.1",
"id": "RUSTSEC-2024-0018",
"modified": "2024-04-11T16:16:20Z",
"published": "2024-02-27T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/crayon"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0018.html"
},
{
"type": "REPORT",
"url": "https://github.com/shawnscode/crayon/issues/109"
}
],
"related": [],
"severity": [],
"summary": "ObjectPool creates uninitialized memory when freeing objects"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…