Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mODV3LXd2YzctY3J3Y84AAxG3
bumpalo has use-after-free due to a lifetime error in `Vec::into_iter()`
In affected versions of this crate, the lifetime of the iterator produced by Vec::into_iter()
is not constrained to the lifetime of the Bump
that allocated the vector's memory. Using the iterator after the Bump
is dropped causes use-after-free accesses.
The following example demonstrates memory corruption arising from a misuse of this unsoundness.
use bumpalo::{collections::Vec, Bump};
fn main() {
let bump = Bump::new();
let mut vec = Vec::new_in(&bump);
vec.extend([0x01u8; 32]);
let into_iter = vec.into_iter();
drop(bump);
for _ in 0..100 {
let reuse_bump = Bump::new();
let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]);
}
for x in into_iter {
print!("0x{:02x} ", x);
}
println!();
}
The issue was corrected in version 3.11.1 by adding a lifetime to the IntoIter
type, and updating the signature of Vec::into_iter()
to constrain this lifetime.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mODV3LXd2YzctY3J3Y84AAxG3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
Identifiers: GHSA-f85w-wvc7-crwc
References:
- https://github.com/fitzgen/bumpalo/blob/main/CHANGELOG.md#3111
- https://rustsec.org/advisories/RUSTSEC-2022-0078.html
- https://github.com/advisories/GHSA-f85w-wvc7-crwc
Affected Packages
cargo:bumpalo
Dependent packages: 114Dependent repositories: 55,132
Downloads: 75,095,539 total
Affected Version Ranges: >= 1.1.0, < 3.11.1
Fixed in: 3.11.1
All affected versions: 1.1.0, 1.2.0, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.10.0, 3.11.0
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 3.11.1, 3.12.0, 3.12.1, 3.12.2, 3.13.0, 3.14.0, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4