Skip to content

Commit

Permalink
Merge pull request #614 from niklasf/raw-cpuid
Browse files Browse the repository at this point in the history
raw-cpuid: Multiple soundness issues
  • Loading branch information
Shnatsel authored Jan 24, 2021
2 parents aba18b2 + 2e01144 commit b330067
Showing 1 changed file with 49 additions and 0 deletions.
49 changes: 49 additions & 0 deletions crates/raw-cpuid/RUSTSEC-0000-0000.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "raw-cpuid"
date = "2021-01-20"
url = "https://github.com/RustSec/advisory-db/pull/614"
categories = ["memory-corruption", "denial-of-service"]

[versions]
patched = [">= 9.0.0"]

[affected]
arch = ["x86", "x86_64"]
```

# Soundness issues in `raw-cpuid`

## Undefined behavior in `as_string()` methods

`VendorInfo::as_string()`, `SoCVendorBrand::as_string()`,
and `ExtendedFunctionInfo::processor_brand_string()` construct byte slices
using `std::slice::from_raw_parts()`, with data coming from
`#[repr(Rust)]` structs. This is always undefined behavior.

See https://github.com/gz/rust-cpuid/issues/40.

This flaw has been fixed in v9.0.0, by making the relevant structs
`#[repr(C)]`.

## `native_cpuid::cpuid_count()` is unsound

`native_cpuid::cpuid_count()` exposes the unsafe `__cpuid_count()` intrinsic
from `core::arch::x86` or `core::arch::x86_64` as a safe function, and uses
it internally, without checking the
[safety requirement](https://doc.rust-lang.org/core/arch/index.html#overview):

> The CPU the program is currently running on supports the function being
> called.
CPUID is available in most, but not all, x86/x86_64 environments. The crate
compiles only on these architectures, so others are unaffected.

This issue is mitigated by the fact that affected programs are expected
to crash deterministically every time.

See https://github.com/gz/rust-cpuid/issues/41.

The flaw has been fixed in v9.0.0, by intentionally breaking compilation
when targetting SGX or 32-bit x86 without SSE. This covers all affected CPUs.

0 comments on commit b330067

Please # to comment.