Add advisory for stackvector public length field unsoundness#3005
Conversation
|
Waiting for maintainer confirmation if an advisory is appropriate. |
|
The advisory is appropriate. I'll file an update when the new version is released and the advisory no longer applies. |
Do you have an indication of how long you think that'll take? |
I can have it in 3 hours (at work but I can do this on my break). I was planning on waiting for a release for a broader refactor but life got in the way so having an immediate release is likely a better idea and wait for the refactor after. |
|
Thanks for the confirmation. I’m happy to update the advisory once a patched release is published. |
|
Version 1.2.0 has been released with these patches: There are a few issues that still need to be resolved, specifically, the use of There's also some other Miri violations that likely need to be fixed. Specifically, a overall migration to UPDATE: It looks like the soundness fixes shouldn't be too involved and I can have a release that will fix all soundness issues. |
Let's hold the advisory for that, then. Thanks for your work on fixing these issues! |
This avoids the stack borrow violations and ensures that the array is correctly used and no `mem::uninitialized` is used. This causes API-breaking changes by changing to use an array of `MaybeUninit` values, rather than a `MaybeUninit` array, and ensure these are correctly initialized. Closes [#5](#5) Addresses [rustsec/advisory-db#3005](rustsec/advisory-db#3005)
This avoids the stack borrow violations and ensures that the array is correctly used and no `mem::uninitialized` is used. This causes API-breaking changes by changing to use an array of `MaybeUninit` values, rather than a `MaybeUninit` array, and ensure these are correctly initialized. - Closes [#5](#5) - Addresses [rustsec/advisory-db#3005](rustsec/advisory-db#3005)
|
Version 2.0.0 has been released which fixes all the soundness issues: Also miri has been added to CI/CD to help mitigate any future soundness. |
Affected crate(s)
stackvector(16,059 recent downloads per crates.io)Links to upstream issue(s) or PR(s)
lengthprivate. Alexhuszagh/rust-stackvector#6Severity
This advisory classifies the issue as informational
unsound. In affected versions,StackVec::lengthis public, so safe Rust code can set it to a value larger than the backing array capacity. Safe methods such asremove,pop, andtruncatethen rely on this corrupted length before performing unsafe pointer operations, which can lead to out-of-bounds access and undefined behavior.The fix has been merged upstream, but at the time of writing, a patched release does not appear to have been published to crates.io.
Checklist
RUSTSEC-0000-0000as the IDdatefield is set to the public disclosure date