RUSTSEC-2021-0095

Source
https://rustsec.org/advisories/RUSTSEC-2021-0095
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0095.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2021-0095
Aliases
Published
2021-06-01T12:00:00Z
Modified
2023-11-08T04:07:22.377459Z
Summary
`mopa` is technically unsound
Details

The mopa crate redefines the deprecated TraitObject struct from core::raw like so:

#[repr(C)]
#[derive(Copy, Clone)]
#[doc(hidden)]
pub struct TraitObject {
    pub data: *mut (),
    pub vtable: *mut (),
}

This is done to then transmute a reference to a trait object (&dyn Trait for any trait Trait) into this struct and retrieve the data field for the purpose of downcasting. This is used to implement downcast_ref_unchecked(), in terms of which downcast_ref() is also implemented. Same goes for mutable reference downcasting and Box downcasting.

The Rust compiler explicitly reserves the right to change the memory layout of &dyn Trait for any trait Trait. The worst case scenario is that it swaps data and vtable, making an executable location breach and compromisation of ASLR possible, since reads from data would read vtable instead. Likewise, arbitrary code execution is also theoretically possible if reads of vtable generated by the compiler read data instead.

While, as of Rust 1.52, this unsound assumption still holds true, updating the compiler may silently create UB in a crate which previously compiled and run without issues, compromising the security of builds which are believed to be reproducible.

A potential strategy to resolve this has already been suggested in an issue on the GitHub repository of the crate.

Database specific
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / mopa

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": "unsound",
    "categories": [
        "memory-corruption",
        "memory-exposure",
        "code-execution"
    ]
}