Vulnerability-Lookup

GHSA-83GG-PWXF-JR89

Vulnerability from github – Published: 2022-06-16 23:40 – Updated: 2022-06-20 18:27

Summary

`array!` macro is unsound in presence of traits that implement methods it calls internally

Details

Affected versions of this crate called some methods using auto-ref. The affected code looked like this.

let mut arr = $crate::__core::mem::MaybeUninit::uninit();
let mut vec = $crate::__ArrayVec::<T>::new(arr.as_mut_ptr() as *mut T);

In this case, the problem is that as_mut_ptr is a method of &mut MaybeUninit, not MaybeUninit. This made it possible for traits to hijack the method calls in order to cause unsoundness.

trait AsMutPtr<T> {
    fn as_mut_ptr(&self) -> *mut T;
}
impl<T> AsMutPtr<T> for std::mem::MaybeUninit<T> {
    fn as_mut_ptr(&self) -> *mut T {
        std::ptr::null_mut()
    }
}
array![0; 1];

The flaw was corrected by explicitly referencing variables in macro body in order to avoid auto-ref.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "array-macro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.2"
            },
            {
              "fixed": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-16T23:40:19Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Affected versions of this crate called some methods using auto-ref. The affected code looked like this.\n\n```rust\nlet mut arr = $crate::__core::mem::MaybeUninit::uninit();\nlet mut vec = $crate::__ArrayVec::\u003cT\u003e::new(arr.as_mut_ptr() as *mut T);\n```\n\nIn this case, the problem is that `as_mut_ptr` is a method of `\u0026mut MaybeUninit`, not `MaybeUninit`. This made it possible for traits to hijack the method calls in order to cause unsoundness.\n\n```rust\ntrait AsMutPtr\u003cT\u003e {\n    fn as_mut_ptr(\u0026self) -\u003e *mut T;\n}\nimpl\u003cT\u003e AsMutPtr\u003cT\u003e for std::mem::MaybeUninit\u003cT\u003e {\n    fn as_mut_ptr(\u0026self) -\u003e *mut T {\n        std::ptr::null_mut()\n    }\n}\narray![0; 1];\n```\n\nThe flaw was corrected by explicitly referencing variables in macro body in order to avoid auto-ref.\n",
  "id": "GHSA-83gg-pwxf-jr89",
  "modified": "2022-06-20T18:27:06Z",
  "published": "2022-06-16T23:40:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xfix/array-macro/commit/01940637dd8f3bfeeee3faf9639fa9ae52f19f4d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustsec/advisory-db/blob/main/crates/array-macro/RUSTSEC-2020-0161.md"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xfix/array-macro"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/KonradBorowski/array-macro/-/commit/01940637dd8f3bfeeee3faf9639fa9ae52f19f4d"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0161.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "`array!` macro is unsound in presence of traits that implement methods it calls internally"
}

rustsec-2020-0161

Vulnerability from osv_rustsec

Published

2020-05-07 12:00

Modified

2023-06-13 13:10

Summary

`array!` macro is unsound in presence of traits that implement methods it calls internally

Details

Affected versions of this crate called some methods using auto-ref. The affected code looked like this.

let mut arr = $crate::__core::mem::MaybeUninit::uninit();
let mut vec = $crate::__ArrayVec::<T>::new(arr.as_mut_ptr() as *mut T);

In this case, the problem is that as_mut_ptr is a method of &mut MaybeUninit, not MaybeUninit. This made it possible for traits to hijack the method calls in order to cause unsoundness.

trait AsMutPtr<T> {
    fn as_mut_ptr(&self) -> *mut T;
}
impl<T> AsMutPtr<T> for std::mem::MaybeUninit<T> {
    fn as_mut_ptr(&self) -> *mut T {
        std::ptr::null_mut()
    }
}
array![0; 1];

The flaw was corrected by explicitly referencing variables in macro body in order to avoid auto-ref.

References

URL

Type

	https://crates.io/crates/array-macro	PACKAGE
	https://rustsec.org/advisories/RUSTSEC-2020-0161.html	ADVISORY
	https://gitlab.com/KonradBorowski/array-macro/-/c…	WEB

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption"
        ],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "array-macro",
        "purl": "pkg:cargo/array-macro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.2"
            },
            {
              "fixed": "1.0.5"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-83gg-pwxf-jr89"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of this crate called some methods using auto-ref. The affected code looked like this.\n\n```rust\nlet mut arr = $crate::__core::mem::MaybeUninit::uninit();\nlet mut vec = $crate::__ArrayVec::\u003cT\u003e::new(arr.as_mut_ptr() as *mut T);\n```\n\nIn this case, the problem is that `as_mut_ptr` is a method of `\u0026mut MaybeUninit`, not `MaybeUninit`. This made it possible for traits to hijack the method calls in order to cause unsoundness.\n\n```rust\ntrait AsMutPtr\u003cT\u003e {\n    fn as_mut_ptr(\u0026self) -\u003e *mut T;\n}\nimpl\u003cT\u003e AsMutPtr\u003cT\u003e for std::mem::MaybeUninit\u003cT\u003e {\n    fn as_mut_ptr(\u0026self) -\u003e *mut T {\n        std::ptr::null_mut()\n    }\n}\narray![0; 1];\n```\n\nThe flaw was corrected by explicitly referencing variables in macro body in order to avoid auto-ref.",
  "id": "RUSTSEC-2020-0161",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2020-05-07T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/array-macro"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0161.html"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/KonradBorowski/array-macro/-/commit/01940637dd8f3bfeeee3faf9639fa9ae52f19f4d"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "`array!` macro is unsound in presence of traits that implement methods it calls internally"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-83GG-PWXF-JR89

rustsec-2020-0161

Vulnerability from osv_rustsec

Tags

Sightings

Nomenclature