GHSA-9RG7-3J4F-CF4X
Vulnerability from github – Published: 2022-06-16 23:52 – Updated: 2022-06-16 23:52Affected version of this crate, which is a required dependency in com-impl,
provides a faulty implementation of the IUnknown::QueryInterface method.
QueryInterface implementation must call IUnknown::AddRef before returning the pointer,
as describe in this documentation:
https://docs.microsoft.com/en-us/windows/win32/api/unknwn/nf-unknwn-iunknown-queryinterface(refiid_void)
As it is not incrementing the refcount as expected, the following calls to IUnknown::Release method
will cause WMI to drop reference to the interface, and can lead to invalid reference.
This is documented in https://docs.microsoft.com/en-us/windows/win32/learnwin32/managing-the-lifetime-of-an-object#reference-counting
There is no simple workaround, as you can't know how many time QueryInterface will be called. The only way to quick fix this is to use the macro expanded version of the code and modify the QueryInterface method to add the AddRef call yourself.
The issue was corrected in commit 9803f31fbd1717d482d848f041044d061fca6da7.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "derive-com-impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2022-06-16T23:52:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected version of this crate, which is a required dependency in com-impl, \nprovides a faulty implementation of the `IUnknown::QueryInterface` method.\n\n`QueryInterface` implementation must call `IUnknown::AddRef` before returning the pointer,\nas describe in this documentation:\n\u003chttps://docs.microsoft.com/en-us/windows/win32/api/unknwn/nf-unknwn-iunknown-queryinterface(refiid_void)\u003e\n\nAs it is not incrementing the refcount as expected, the following calls to `IUnknown::Release` method \nwill cause WMI to drop reference to the interface, and can lead to invalid reference.\n\nThis is documented in \u003chttps://docs.microsoft.com/en-us/windows/win32/learnwin32/managing-the-lifetime-of-an-object#reference-counting\u003e\n\nThere is no simple workaround, as you can\u0027t know how many time QueryInterface will be called.\nThe only way to quick fix this is to use the macro expanded version of the code and modify \nthe QueryInterface method to add the AddRef call yourself.\n\nThe issue was corrected in commit `9803f31fbd1717d482d848f041044d061fca6da7`.\n",
"id": "GHSA-9rg7-3j4f-cf4x",
"modified": "2022-06-16T23:52:51Z",
"published": "2022-06-16T23:52:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Connicpu/com-impl/issues/1"
},
{
"type": "WEB",
"url": "https://github.com/Connicpu/com-impl/commit/9803f31fbd1717d482d848f041044d061fca6da7"
},
{
"type": "PACKAGE",
"url": "https://github.com/Connicpu/com-impl"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0083.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "QueryInterface should call AddRef before returning pointer"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.