RUSTSEC-2024-0018

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2024-0018

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0018.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2024-0018

Aliases

GHSA-xfhw-6mc4-mgxf

Published

2024-02-27T12:00:00Z

Modified

2024-04-11T16:41:43.882509Z

Summary

ObjectPool creates uninitialized memory when freeing objects

Details

As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its type parameter when it attempts to free an object, and swaps it into the storage. This causes instant undefined behavior due to reading the uninitialized memory in order to write it to the pool storage.

Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:

use crayon::prelude::*;
application::oneshot().unwrap();

let mut params = MeshParams::default();

let mesh = video::create_mesh(params, None).unwrap();

// Deletes the mesh object.
video::delete_mesh(mesh); // <-- UB

The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.

Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / crayon

Package

Name: crayon; View open source insights on deps.dev
Purl: pkg:cargo/crayon

Affected ranges

Type: SEMVER
Events: Introduced

0.6.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "crayon::utils::object_pool::ObjectPool<H,T>::free"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "memory-corruption"
    ]
}