GHSA-2GXJ-QRP2-53JV
Vulnerability from github – Published: 2022-01-06 22:11 – Updated: 2023-06-13 18:34The mopa crate redefines the deprecated TraitObject struct from core::raw. This is done to then transmute a reference to a trait object (&dyn Trait for any trait Trait) into this struct and retrieve the data field for the purpose of downcasting. This is used to implement downcast_ref_unchecked(), in terms of which downcast_ref() is also implemented. Same goes for mutable reference downcasting and Box downcasting.
The Rust compiler explicitly reserves the right to change the memory layout of &dyn Trait for any trait Trait. The worst case scenario is that it swaps data and vtable, making an executable location breach and compromisation of ASLR possible, since reads from data would read vtable instead. Likewise, arbitrary code execution is also theoretically possible if reads of vtable generated by the compiler read data instead.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "mopa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-45695"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2022-01-06T14:22:40Z",
"nvd_published_at": "2021-12-27T00:15:00Z",
"severity": "CRITICAL"
},
"details": "The mopa crate redefines the deprecated TraitObject struct from core::raw. This is done to then transmute a reference to a trait object (\u0026dyn Trait for any trait Trait) into this struct and retrieve the data field for the purpose of downcasting. This is used to implement downcast_ref_unchecked(), in terms of which downcast_ref() is also implemented. Same goes for mutable reference downcasting and Box downcasting.\n\nThe Rust compiler explicitly reserves the right to change the memory layout of \u0026dyn Trait for any trait Trait. The worst case scenario is that it swaps data and vtable, making an executable location breach and compromisation of ASLR possible, since reads from data would read vtable instead. Likewise, arbitrary code execution is also theoretically possible if reads of vtable generated by the compiler read data instead.",
"id": "GHSA-2gxj-qrp2-53jv",
"modified": "2023-06-13T18:34:26Z",
"published": "2022-01-06T22:11:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45695"
},
{
"type": "WEB",
"url": "https://github.com/chris-morgan/mopa/issues/13"
},
{
"type": "PACKAGE",
"url": "https://github.com/chris-morgan/mopa"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/mopa/RUSTSEC-2021-0095.md"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0095.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incorrect reliance on Trait memory layout in mopa"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.