Skip to content

Add advisory for stackvector public length field unsoundness#3005

Merged
djc merged 2 commits into
rustsec:mainfrom
sisy2020:add-stackvector-length-advisory
Jul 2, 2026
Merged

Add advisory for stackvector public length field unsoundness#3005
djc merged 2 commits into
rustsec:mainfrom
sisy2020:add-stackvector-length-advisory

Conversation

@sisy2020

Copy link
Copy Markdown
Contributor

Affected crate(s)

  • stackvector (16,059 recent downloads per crates.io)

Links to upstream issue(s) or PR(s)

Severity

This advisory classifies the issue as informational unsound. In affected versions, StackVec::length is public, so safe Rust code can set it to a value larger than the backing array capacity. Safe methods such as remove, pop, and truncate then rely on this corrupted length before performing unsafe pointer operations, which can lead to out-of-bounds access and undefined behavior.

The fix has been merged upstream, but at the time of writing, a patched release does not appear to have been published to crates.io.

Checklist

  • Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
  • date field is set to the public disclosure date
  • Contains a concise and descriptive title after advisory metadata
  • Asked maintainer(s) if publishing an advisory is appropriate

@djc

djc commented Jun 29, 2026

Copy link
Copy Markdown
Member

Waiting for maintainer confirmation if an advisory is appropriate.

@Alexhuszagh

Alexhuszagh commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

The advisory is appropriate. I'll file an update when the new version is released and the advisory no longer applies.

@djc

djc commented Jun 30, 2026

Copy link
Copy Markdown
Member

The advisory is appropriate. I'll file an update when the new version is released and the advisory no longer applies.

Do you have an indication of how long you think that'll take?

@Alexhuszagh

Copy link
Copy Markdown
Contributor

The advisory is appropriate. I'll file an update when the new version is released and the advisory no longer applies.

Do you have an indication of how long you think that'll take?

I can have it in 3 hours (at work but I can do this on my break). I was planning on waiting for a release for a broader refactor but life got in the way so having an immediate release is likely a better idea and wait for the refactor after.

@sisy2020 sisy2020 marked this pull request as ready for review June 30, 2026 15:09
@sisy2020

Copy link
Copy Markdown
Contributor Author

Thanks for the confirmation. I’m happy to update the advisory once a patched release is published.

@Alexhuszagh

Alexhuszagh commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Version 1.2.0 has been released with these patches:
https://crates.io/crates/stackvector/1.2.0

There are a few issues that still need to be resolved, specifically, the use of mem::uninitialized in StackVec::from_vec_unchecked which is called in from_vec (see Alexhuszagh/rust-stackvector#5), which I can get to later.

There's also some other Miri violations that likely need to be fixed. Specifically, a overall migration to MaybeUninit in general instead of other logic (you can validate this by running cargo +nightly miri test and the borrow stack rules are broken due a misuse of MaybeUninit (and would require a breaking change). So as the repository stands right now, an advisory would still apply (for other reasons).

UPDATE: It looks like the soundness fixes shouldn't be too involved and I can have a release that will fix all soundness issues.

@djc

djc commented Jul 1, 2026

Copy link
Copy Markdown
Member

UPDATE: It looks like the soundness fixes shouldn't be too involved and I can have a release that will fix all soundness issues.

Let's hold the advisory for that, then. Thanks for your work on fixing these issues!

Alexhuszagh added a commit to Alexhuszagh/rust-stackvector that referenced this pull request Jul 1, 2026
This avoids the stack borrow violations and ensures that the array is correctly used and no `mem::uninitialized` is used. This causes API-breaking changes by changing to use an array of `MaybeUninit` values, rather than a `MaybeUninit` array, and ensure these are correctly initialized.

Closes [#5](#5)
Addresses [rustsec/advisory-db#3005](rustsec/advisory-db#3005)
Alexhuszagh added a commit to Alexhuszagh/rust-stackvector that referenced this pull request Jul 1, 2026
This avoids the stack borrow violations and ensures that the array is correctly used and no `mem::uninitialized` is used. This causes API-breaking changes by changing to use an array of `MaybeUninit` values, rather than a `MaybeUninit` array, and ensure these are correctly initialized.

- Closes [#5](#5)
- Addresses [rustsec/advisory-db#3005](rustsec/advisory-db#3005)
@Alexhuszagh

Copy link
Copy Markdown
Contributor

Version 2.0.0 has been released which fixes all the soundness issues:
https://crates.io/crates/stackvector/2.0.0

Also miri has been added to CI/CD to help mitigate any future soundness.

Comment thread crates/stackvector/RUSTSEC-0000-0000.md Outdated
@djc djc merged commit 342ba49 into rustsec:main Jul 2, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants