Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04ZjI0LTZtMjktd20ycs4AA4ih
use-after-free in tracing
The implementation of the Instrumented::into_inner method in affected versions of this crate contains undefined behavior due to incorrect use of std::mem::forget The function creates *const pointers to self, calls mem::forget(self), and then moves values out of those pointers using std::ptr::read.
// To manually destructure `Instrumented` without `Drop`, we
// move it into a ManuallyDrop and use pointers to its fields
let span: *const Span = &this.span;
let inner: *const ManuallyDrop<T> = &this.inner;
mem::forget(self);
// SAFETY: Those pointers are valid for reads, because `Drop` didn't
// run, and properly aligned, because `Instrumented` isn't
// `#[repr(packed)]`.
let _span = unsafe { span.read() };
let inner = unsafe { inner.read() };
However, the mem::forget documentation states:
Any resources the value manages, such as heap memory or a file handle, will
linger forever in an unreachable state. However, it does not guarantee that
pointers to this memory will remain valid.
This means that these pointers are no longer valid. This could result in a stack use-after-free if LLVM chooses to reuse self's stack slot for a rebinding after the call to std::mem::forget.
This undefined behavior has not been observed to cause miscompilation as of Rust 1.73.0. However, any use of this method with the affected versions of tracing are unsound.
The flaw was corrected in commit 20a1762 (PR #2765) by replacing the use of std::mem::forget with std::mem::ManuallyDrop, ensuring that the stack slot is not reused and the pointers remain valid when they are read. The fix is
published in tracing v0.1.40. Affected versions have been yanked from crates.io.
Thanks to Taylor Cramer and Manish Goregaokar for finding and correcting
this issue!
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04ZjI0LTZtMjktd20ycs4AA4ih
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 10 months ago
Identifiers: GHSA-8f24-6m29-wm2r
References:
- https://github.com/tokio-rs/tracing/pull/2765
- https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721
- https://github.com/tokio-rs/tracing/releases/tag/tracing-0.1.40
- https://rustsec.org/advisories/RUSTSEC-2023-0078.html
- https://github.com/advisories/GHSA-8f24-6m29-wm2r
Blast Radius: 0.0
Affected Packages
cargo:tracing
Dependent packages: 7,107Dependent repositories: 43,966
Downloads: 210,244,600 total
Affected Version Ranges: >= 0.1.38, < 0.1.40
Fixed in: 0.1.40
All affected versions: 0.1.38, 0.1.39
All unaffected versions: 0.0.0, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.28, 0.1.29, 0.1.30, 0.1.31, 0.1.32, 0.1.33, 0.1.34, 0.1.35, 0.1.36, 0.1.37, 0.1.40