rustsec-2022-0028
Vulnerability from osv_rustsec
Published
2022-05-22 12:00
Modified
2023-06-13 13:10
Summary
Use after free in Neon external buffers
Details
Neon provides functionality for creating JavaScript ArrayBuffer (and the Buffer subtype) instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from types that may be freed while they are still referenced by a JavaScript ArrayBuffer.
The following example demonstrates use after free. It compiles on versions <0.10.1 and fails to compile afterward.
pub fn soundness_hole(mut cx: FunctionContext) -> JsResult<JsArrayBuffer> {
let mut data = vec![0u8, 1, 2, 3];
// Creating an external from `&mut [u8]` instead of `Vec<u8>` since there is a blanket impl
// of `AsMut<T> for &mut T`
let buf = JsArrayBuffer::external(&mut cx, data.as_mut_slice());
// `buf` is still holding a reference to `data`!
drop(data);
Ok(buf)
}
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption",
"memory-exposure"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"neon::types::JsArrayBuffer::external",
"neon::types::JsBuffer::external"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "neon",
"purl": "pkg:cargo/neon"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.10.1"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-8mj7-wxmc-f424"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Neon provides functionality for creating JavaScript `ArrayBuffer` (and the `Buffer` subtype) instances backed by bytes allocated outside of V8/Node. The [`JsArrayBuffer::external`](https://docs.rs/neon/0.10.0/neon/types/struct.JsArrayBuffer.html#method.external) and [`JsBuffer::external`](https://docs.rs/neon/0.10.0/neon/types/struct.JsBuffer.html#method.external) did not require `T: \u0027static` prior to Neon `0.10.1`. This allowed creating an externally backed buffer from types that may be freed while they are still referenced by a JavaScript `ArrayBuffer`.\n\nThe following example demonstrates use after free. It compiles on versions `\u003c0.10.1` and fails to compile afterward.\n\n```rust\npub fn soundness_hole(mut cx: FunctionContext) -\u003e JsResult\u003cJsArrayBuffer\u003e {\n let mut data = vec![0u8, 1, 2, 3];\n \n // Creating an external from `\u0026mut [u8]` instead of `Vec\u003cu8\u003e` since there is a blanket impl\n // of `AsMut\u003cT\u003e for \u0026mut T`\n let buf = JsArrayBuffer::external(\u0026mut cx, data.as_mut_slice());\n\n // `buf` is still holding a reference to `data`!\n drop(data);\n\n Ok(buf)\n}\n```",
"id": "RUSTSEC-2022-0028",
"modified": "2023-06-13T13:10:24Z",
"published": "2022-05-22T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/neon"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0028.html"
},
{
"type": "REPORT",
"url": "https://github.com/neon-bindings/neon/issues/896"
}
],
"related": [],
"severity": [],
"summary": "Use after free in Neon external buffers"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…