RUSTSEC-2021-0093

Source

https://rustsec.org/advisories/RUSTSEC-2021-0093

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0093.json

Aliases

Published

2021-07-30T12:00:00Z

Modified

2023-11-08T04:06:00.955077Z

Details

In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.

Crates using Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop are affected by this issue.

Credits to @kmaork for discovering, reporting and fixing the bug.

References

Affected packages

crates.io / crossbeam-deque

Package

Name: crossbeam-deque

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.7.4

Introduced

0.8.0

Fixed

0.8.1

Ecosystem specific

{
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "informational": null,
    "categories": [
        "memory-corruption"
    ]
}