GHSA-F85W-WVC7-CRWC
Vulnerability from github – Published: 2023-01-20 21:54 – Updated: 2023-01-20 21:54
VLAI?
Summary
bumpalo has use-after-free due to a lifetime error in `Vec::into_iter()`
Details
In affected versions of this crate, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.
The following example demonstrates memory corruption arising from a misuse of this unsoundness.
use bumpalo::{collections::Vec, Bump};
fn main() {
let bump = Bump::new();
let mut vec = Vec::new_in(&bump);
vec.extend([0x01u8; 32]);
let into_iter = vec.into_iter();
drop(bump);
for _ in 0..100 {
let reuse_bump = Bump::new();
let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]);
}
for x in into_iter {
print!("0x{:02x} ", x);
}
println!();
}
The issue was corrected in version 3.11.1 by adding a lifetime to the IntoIter type, and updating the signature of Vec::into_iter() to constrain this lifetime.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "bumpalo"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "3.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2023-01-20T21:54:22Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In affected versions of this crate, the lifetime of the iterator produced by `Vec::into_iter()` is not constrained to the lifetime of the `Bump` that allocated the vector\u0027s memory. Using the iterator after the `Bump` is dropped causes use-after-free accesses.\n\nThe following example demonstrates memory corruption arising from a misuse of this unsoundness.\n\n```rust\nuse bumpalo::{collections::Vec, Bump};\n\nfn main() {\n let bump = Bump::new();\n let mut vec = Vec::new_in(\u0026bump);\n vec.extend([0x01u8; 32]);\n let into_iter = vec.into_iter();\n drop(bump);\n\n for _ in 0..100 {\n let reuse_bump = Bump::new();\n let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]);\n }\n\n for x in into_iter {\n print!(\"0x{:02x} \", x);\n }\n println!();\n}\n```\n\nThe issue was corrected in version 3.11.1 by adding a lifetime to the `IntoIter` type, and updating the signature of `Vec::into_iter()` to constrain this lifetime.\n",
"id": "GHSA-f85w-wvc7-crwc",
"modified": "2023-01-20T21:54:22Z",
"published": "2023-01-20T21:54:22Z",
"references": [
{
"type": "PACKAGE",
"url": "https://github.com/fitzgen/bumpalo"
},
{
"type": "WEB",
"url": "https://github.com/fitzgen/bumpalo/blob/main/CHANGELOG.md#3111"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0078.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "bumpalo has use-after-free due to a lifetime error in `Vec::into_iter()`"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…