You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello 🦀 ,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.
Issue Description
common::Slice::<T, H>::new
Drop uninitialized memory upon panic within T::default().
The message Dropping 1 is printed twice, indicating the same object was dropped twice.
Dropping 1
thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', examples/arenavec.rs:14:62
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Dropping 99
Dropping 0
Dropping 1
Suggested Fix
common::Slice::<T, H>::new:
Move res.len = len; to after all writes are done.
common::SliceVec::<T, H>::resize_with & common::SliceVec::<T, H>::resize:
Move self.slice.len = len; to before drop_in_place().
Thank you for checking out this issue!
The text was updated successfully, but these errors were encountered:
JOE1994
changed the title
double free error may happen in 3 functions
panic safety bug may happen in 3 functions
Jan 12, 2021
JOE1994
added a commit
to JOE1994/arenavec
that referenced
this issue
Jan 20, 2021
Once a fix is released to crates.io, please open a pull request to update the advisory with the patched version, or file an issue on the advisory database repository.
Hello 🦀 ,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.
Issue Description
common::Slice::<T, H>::new
Drop uninitialized memory upon panic within
T::default()
.arenavec/src/common.rs
Lines 73 to 89 in f931efb
common::SliceVec::<T, H>::resize_with
double free upon panic within
T::drop
in line 438.arenavec/src/common.rs
Lines 417 to 443 in f931efb
common::SliceVec::<T, H>::resize
double free upon panic within
T::drop
in line 466.arenavec/src/common.rs
Lines 445 to 471 in f931efb
Proof of Concept
Example program below exhibits a double drop on the same object.
Program Output
The message
Dropping 1
is printed twice, indicating the same object was dropped twice.Suggested Fix
common::Slice::<T, H>::new
:Move
res.len = len;
to after all writes are done.common::SliceVec::<T, H>::resize_with
&common::SliceVec::<T, H>::resize
:Move
self.slice.len = len;
to beforedrop_in_place()
.Thank you for checking out this issue!
The text was updated successfully, but these errors were encountered: