Vulnerability-Lookup

rustsec-2019-0002

Vulnerability from osv_rustsec

Published

2019-05-07 12:00

Modified

2023-06-13 13:10

Summary

Bug in SliceDeque::move_head_unchecked corrupts its memory

Details

Affected versions of this crate entered a corrupted state if mem::size_of::<T>() % allocation_granularity() != 0 and a specific allocation pattern was used: sufficiently shifting the deque elements over the mirrored page boundary.

This allows an attacker that controls controls both element insertion and removal to corrupt the deque, such that reading elements from it would read bytes corresponding to other elements in the deque. (e.g. a read of T could read some bytes from one value and some bytes from an adjacent one, resulting in a T whose value representation is not meaningful). This is undefined behavior.

The flaw was corrected by using a pair of pointers to track the head and tail of the deque instead of a pair of indices. This pair of pointers are represented using a Rust slice.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "slice-deque",
        "purl": "pkg:cargo/slice-deque"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.2.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2019-15543",
    "GHSA-c3m3-c39q-pv23"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of this crate entered a corrupted state if\n`mem::size_of::\u003cT\u003e() % allocation_granularity() != 0` and a specific allocation\npattern was used: sufficiently shifting the deque elements over the mirrored\npage boundary.\n\nThis allows an attacker that controls controls both element insertion and\nremoval to corrupt the deque, such that reading elements from it would read\nbytes corresponding to other elements in the deque. (e.g. a read of T could read\nsome bytes from one value and some bytes from an adjacent one, resulting in a T\nwhose value representation is not meaningful). This is undefined behavior.\n \nThe flaw was corrected by using a pair of pointers to track the head and tail of\nthe deque instead of a pair of indices. This pair of pointers are represented\nusing a Rust slice.",
  "id": "RUSTSEC-2019-0002",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2019-05-07T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/slice-deque"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2019-0002.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/gnzlbg/slice_deque/issues/57"
    }
  ],
  "related": [
    "RUSTSEC-2018-0008"
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bug in SliceDeque::move_head_unchecked corrupts its memory"
}

CVE-2019-15543 (GCVE-0-2019-15543)

Vulnerability from cvelistv5 – Published: 2019-08-26 17:09 – Updated: 2024-08-05 00:49

Summary

An issue was discovered in the slice-deque crate before 0.2.0 for Rust. There is memory corruption in certain allocation cases.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://rustsec.org/advisories/RUSTSEC-2019-0002.html

x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:49:13.719Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://rustsec.org/advisories/RUSTSEC-2019-0002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the slice-deque crate before 0.2.0 for Rust. There is memory corruption in certain allocation cases."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-26T17:09:28",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rustsec.org/advisories/RUSTSEC-2019-0002.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-15543",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in the slice-deque crate before 0.2.0 for Rust. There is memory corruption in certain allocation cases."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://rustsec.org/advisories/RUSTSEC-2019-0002.html",
              "refsource": "MISC",
              "url": "https://rustsec.org/advisories/RUSTSEC-2019-0002.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-15543",
    "datePublished": "2019-08-26T17:09:28",
    "dateReserved": "2019-08-25T00:00:00",
    "dateUpdated": "2024-08-05T00:49:13.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

rustsec-2019-0002

Vulnerability from osv_rustsec

Published

2018-12-05 12:00

Modified

2023-06-13 13:10

Summary

Bug in SliceDeque::move_head_unchecked allows read of corrupted memory

Details

Affected versions of this crate did not properly update the head and tail of the deque when inserting and removing elements from the front if, before insertion or removal, the tail of the deque was in the mirrored memory region, and if, after insertion or removal, the head of the deque is exactly at the beginning of the mirrored memory region.

An attacker that controls both element insertion and removal into the deque could put it in a corrupted state. Once the deque enters such an state, its head and tail are corrupted, but in bounds of the allocated memory. This can result in partial reads and writes, reads of uninitialized memory, reads of memory containing previously dropped objects, etc. An attacker could exploit this to alter program execution.

The flaw was corrected by properly updating the head and tail of the deque in this case.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "slice-deque",
        "purl": "pkg:cargo/slice-deque"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.1.16"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2018-20995",
    "GHSA-hr3c-6mmp-6m39"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of this crate did not properly update the\nhead and tail of the deque when inserting and removing elements from the front\nif, before insertion or removal, the tail of the deque was in the mirrored\nmemory region, and if, after insertion or removal, the head of the deque is\nexactly at the beginning of the mirrored memory region.\n\nAn attacker that controls both element insertion and removal into the deque\ncould put it in a corrupted state. Once the deque enters such an state, its head\nand tail are corrupted, but in bounds of the allocated memory. This can result\nin partial reads and writes, reads of uninitialized memory, reads of memory\ncontaining previously dropped objects, etc. An attacker could exploit this to\nalter program execution.\n\nThe flaw was corrected by properly updating the head and tail of the deque in\nthis case.",
  "id": "RUSTSEC-2018-0008",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2018-12-05T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/slice-deque"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2018-0008.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/gnzlbg/slice_deque/issues/57"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bug in SliceDeque::move_head_unchecked allows read of corrupted memory"
}

GHSA-C3M3-C39Q-PV23

Vulnerability from github – Published: 2021-08-25 20:44 – Updated: 2023-06-13 20:56

Summary

Out of bounds write in slice-deque

Details

Affected versions of this crate entered a corrupted state if mem::size_of::() % allocation_granularity() != 0 and a specific allocation pattern was used: sufficiently shifting the deque elements over the mirrored page boundary.

The flaw was corrected by using a pair of pointers to track the head and tail of the deque instead of a pair of indices. This pair of pointers are represented using a Rust slice.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "slice-deque"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-15543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:23:28Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Affected versions of this crate entered a corrupted state if mem::size_of::\u003cT\u003e() % allocation_granularity() != 0 and a specific allocation pattern was used: sufficiently shifting the deque elements over the mirrored page boundary.\n\nThis allows an attacker that controls controls both element insertion and removal to corrupt the deque, such that reading elements from it would read bytes corresponding to other elements in the deque. (e.g. a read of T could read some bytes from one value and some bytes from an adjacent one, resulting in a T whose value representation is not meaningful). This is undefined behavior.\n\nThe flaw was corrected by using a pair of pointers to track the head and tail of the deque instead of a pair of indices. This pair of pointers are represented using a Rust slice.",
  "id": "GHSA-c3m3-c39q-pv23",
  "modified": "2023-06-13T20:56:39Z",
  "published": "2021-08-25T20:44:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15543"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gnzlbg/slice_deque/issues/57"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gnzlbg/slice_deque"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2019-0002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Out of bounds write in slice-deque"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

rustsec-2019-0002

Vulnerability from osv_rustsec

CVE-2019-15543 (GCVE-0-2019-15543)

rustsec-2019-0002

Vulnerability from osv_rustsec

GHSA-C3M3-C39Q-PV23

Tags

Sightings

Nomenclature