rustsec-2022-0078
Vulnerability from osv_rustsec
Published
2022-01-14 12:00
Modified
2023-06-13 13:10
Summary
Use-after-free due to a lifetime error in `Vec::into_iter()`
Details
In affected versions of this crate, the lifetime of the iterator produced by
Vec::into_iter() is not constrained to the lifetime of the Bump that
allocated the vector's memory. Using the iterator after the Bump is dropped
causes use-after-free accesses.
The following example demonstrates memory corruption arising from a misuse of this unsoundness.
use bumpalo::{collections::Vec, Bump};
fn main() {
let bump = Bump::new();
let mut vec = Vec::new_in(&bump);
vec.extend([0x01u8; 32]);
let into_iter = vec.into_iter();
drop(bump);
for _ in 0..100 {
let reuse_bump = Bump::new();
let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]);
}
for x in into_iter {
print!("0x{:02x} ", x);
}
println!();
}
The issue was corrected in version 3.11.1 by adding a lifetime to the IntoIter
type, and updating the signature of Vec::into_iter() to constrain this
lifetime.
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption",
"memory-exposure"
],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"bumpalo::collections::vec::Vec::into_iter"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "bumpalo",
"purl": "pkg:cargo/bumpalo"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "3.11.1"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-f85w-wvc7-crwc"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "In affected versions of this crate, the lifetime of the iterator produced by\n`Vec::into_iter()` is not constrained to the lifetime of the `Bump` that\nallocated the vector\u0027s memory. Using the iterator after the `Bump` is dropped\ncauses use-after-free accesses.\n\nThe following example demonstrates memory corruption arising from a misuse of\nthis unsoundness.\n\n```rust\nuse bumpalo::{collections::Vec, Bump};\n\nfn main() {\n let bump = Bump::new();\n let mut vec = Vec::new_in(\u0026bump);\n vec.extend([0x01u8; 32]);\n let into_iter = vec.into_iter();\n drop(bump);\n\n for _ in 0..100 {\n let reuse_bump = Bump::new();\n let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]);\n }\n\n for x in into_iter {\n print!(\"0x{:02x} \", x);\n }\n println!();\n}\n```\n\nThe issue was corrected in version 3.11.1 by adding a lifetime to the `IntoIter`\ntype, and updating the signature of `Vec::into_iter()` to constrain this\nlifetime.",
"id": "RUSTSEC-2022-0078",
"modified": "2023-06-13T13:10:24Z",
"published": "2022-01-14T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/bumpalo"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0078.html"
},
{
"type": "WEB",
"url": "https://github.com/fitzgen/bumpalo/blob/main/CHANGELOG.md#3111"
}
],
"related": [],
"severity": [],
"summary": "Use-after-free due to a lifetime error in `Vec::into_iter()`"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…