rustsec-2022-0007
Vulnerability from osv_rustsec
Published
2022-01-24 12:00
Modified
2023-06-13 13:10
Summary
A malicious coder can get unsound access to TCell or TLCell memory
Details

This is impossible to do by accident, but by carefully constructing marker types to be covariant, a malicious coder can cheat the singleton check in TCellOwner and TLCellOwner, giving unsound access to cell memory. This could take the form of getting two mutable references to the same memory, or a mutable reference and an immutable reference.

The fix is for the crate to internally force the marker type to be invariant. This blocks the conversion between covariant types which Rust normally allows.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "qcell",
        "purl": "pkg:cargo/qcell"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-9c9f-7x9p-4wqp"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "This is impossible to do by accident, but by carefully constructing\nmarker types to be covariant, a malicious coder can cheat the\nsingleton check in `TCellOwner` and `TLCellOwner`, giving unsound\naccess to cell memory.  This could take the form of getting two\nmutable references to the same memory, or a mutable reference and an\nimmutable reference.\n\nThe fix is for the crate to internally force the marker type to be\ninvariant.  This blocks the conversion between covariant types which\nRust normally allows.",
  "id": "RUSTSEC-2022-0007",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2022-01-24T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/qcell"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0007.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/uazu/qcell/issues/20"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "A malicious coder can get unsound access to TCell or TLCell memory"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.