RUSTSEC-2022-0078

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2022-0078

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0078.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2022-0078

Aliases

GHSA-f85w-wvc7-crwc

Published

2022-01-14T12:00:00Z

Modified

2023-11-08T04:18:53.654955Z

Summary

Use-after-free due to a lifetime error in `Vec::into_iter()`

Details

In affected versions of this crate, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.

The following example demonstrates memory corruption arising from a misuse of this unsoundness.

use bumpalo::{collections::Vec, Bump};

fn main() {
    let bump = Bump::new();
    let mut vec = Vec::new_in(&bump);
    vec.extend([0x01u8; 32]);
    let into_iter = vec.into_iter();
    drop(bump);

    for _ in 0..100 {
        let reuse_bump = Bump::new();
        let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]);
    }

    for x in into_iter {
        print!("0x{:02x} ", x);
    }
    println!();
}

The issue was corrected in version 3.11.1 by adding a lifetime to the IntoIter type, and updating the signature of Vec::into_iter() to constrain this lifetime.

References

Affected packages

crates.io / bumpalo

Package

Name: bumpalo; View open source insights on deps.dev
Purl: pkg:cargo/bumpalo

Affected ranges

Type: SEMVER
Events: Introduced

1.1.0

Fixed

3.11.1

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "bumpalo::collections::vec::Vec::into_iter"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": "unsound",
    "categories": [
        "memory-corruption",
        "memory-exposure"
    ]
}