From ef52d55d34b827866c98e9b0646b258a80a59ba5 Mon Sep 17 00:00:00 2001 From: JOE1994 Date: Sun, 7 Mar 2021 00:57:30 -0500 Subject: [PATCH 1/2] Report 0109-arenavec to RustSec --- crates/arenavec/RUSTSEC-0000-0000.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 crates/arenavec/RUSTSEC-0000-0000.md diff --git a/crates/arenavec/RUSTSEC-0000-0000.md b/crates/arenavec/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..e75df21d2 --- /dev/null +++ b/crates/arenavec/RUSTSEC-0000-0000.md @@ -0,0 +1,20 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "arenavec" +date = "2021-01-12" +url = "https://github.com/ibabushkin/arenavec/issues/1" +categories = ["memory-corruption"] + +[versions] +patched = [] +``` + +# panic safety: potential double drop or uninitialized drop of T + +Affected versions of this crate did not guard against potential panics that may happen from user-provided functions `T::default()` and `T::drop()`. + +Panic within `T::default()` leads to dropping uninitialized `T`, when it is invoked from `common::Slice::::new()`. +Panic within `T::drop()` leads to double drop of `T`, when it is invoked either from `common::SliceVec::::resize_with()` or `common::SliceVec::::resize()` + +Either case causes memory corruption in the heap memory. \ No newline at end of file From c2248b0eef6bffdcb5cb340acb8d93b6fcbd90e2 Mon Sep 17 00:00:00 2001 From: Youngsuk Kim Date: Sun, 7 Mar 2021 09:21:06 -0500 Subject: [PATCH 2/2] arenavec: update advisory title to clarify issue --- crates/arenavec/RUSTSEC-0000-0000.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crates/arenavec/RUSTSEC-0000-0000.md b/crates/arenavec/RUSTSEC-0000-0000.md index e75df21d2..f71a26a63 100644 --- a/crates/arenavec/RUSTSEC-0000-0000.md +++ b/crates/arenavec/RUSTSEC-0000-0000.md @@ -10,11 +10,11 @@ categories = ["memory-corruption"] patched = [] ``` -# panic safety: potential double drop or uninitialized drop of T +# panic safety: double drop or uninitialized drop of T upon panic Affected versions of this crate did not guard against potential panics that may happen from user-provided functions `T::default()` and `T::drop()`. Panic within `T::default()` leads to dropping uninitialized `T`, when it is invoked from `common::Slice::::new()`. Panic within `T::drop()` leads to double drop of `T`, when it is invoked either from `common::SliceVec::::resize_with()` or `common::SliceVec::::resize()` -Either case causes memory corruption in the heap memory. \ No newline at end of file +Either case causes memory corruption in the heap memory.