GHSA-qc84-gqf4-9926
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qc84-gqf4-9926
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-qc84-gqf4-9926/GHSA-qc84-gqf4-9926.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qc84-gqf4-9926
- Aliases
- Published
- 2022-02-16T22:36:21Z
- Modified
- 2023-11-08T04:08:26.111544Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- crossbeam-utils Race Condition vulnerability
- Details
-
Impact
The affected version of this crate incorrectly assumed that the alignment of
{i,u}64was always the same asAtomic{I,U}64.However, the alignment of
{i,u}64on a 32-bit target can be smaller thanAtomic{I,U}64.This can cause the following problems:
- Unaligned memory accesses
- Data race
Crates using
fetch_*methods withAtomicCell<{i,u}64>are affected by this issue.32-bit targets without
Atomic{I,U}64and 64-bit targets are not affected by this issue. 32-bit targets withAtomic{I,U}64and{i,u}64have the same alignment are also not affected by this issue.The following is a complete list of the builtin targets that may be affected. (last update: nightly-2022-02-11)
- armv7-apple-ios (tier 3)
- armv7s-apple-ios (tier 3)
- i386-apple-ios (tier 3)
- i586-unknown-linux-gnu
- i586-unknown-linux-musl
- i686-apple-darwin (tier 3)
- i686-linux-android
- i686-unknown-freebsd
- i686-unknown-haiku (tier 3)
- i686-unknown-linux-gnu
- i686-unknown-linux-musl
- i686-unknown-netbsd (tier 3)
- i686-unknown-openbsd (tier 3)
- i686-wrs-vxworks (tier 3)
Patches
This has been fixed in crossbeam-utils 0.8.7.
Affected 0.8.x releases have been yanked.
References
https://github.com/crossbeam-rs/crossbeam/pull/781
License
This advisory is in the public domain.
- Database specific
{ "nvd_published_at": "2022-02-15T19:15:00Z", "github_reviewed_at": "2022-02-16T22:36:21Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-362" ] }- References
-
- https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926
- https://nvd.nist.gov/vuln/detail/CVE-2022-23639
- https://github.com/crossbeam-rs/crossbeam/pull/781
- https://github.com/crossbeam-rs/crossbeam
- https://github.com/crossbeam-rs/crossbeam/releases/tag/crossbeam-utils-0.8.7
- https://rustsec.org/advisories/RUSTSEC-2022-0041.html
Affected packages
crates.io / crossbeam-utils
Package
- Name
- crossbeam-utils
- View open source insights on deps.dev
- Purl
- pkg:cargo/crossbeam-utils