GHSA-f85w-wvc7-crwc – bumpalo

Package

Manager: cargo
Name: bumpalo
Vulnerable Version: >=1.1.0 <3.11.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

bumpalo has use-after-free due to a lifetime error in `Vec::into_iter()` In affected versions of this crate, the lifetime of the iterator produced by `Vec::into_iter()` is not constrained to the lifetime of the `Bump` that allocated the vector's memory. Using the iterator after the `Bump` is dropped causes use-after-free accesses. The following example demonstrates memory corruption arising from a misuse of this unsoundness. ```rust use bumpalo::{collections::Vec, Bump}; fn main() { let bump = Bump::new(); let mut vec = Vec::new_in(&bump); vec.extend([0x01u8; 32]); let into_iter = vec.into_iter(); drop(bump); for _ in 0..100 { let reuse_bump = Bump::new(); let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]); } for x in into_iter { print!("0x{:02x} ", x); } println!(); } ``` The issue was corrected in version 3.11.1 by adding a lifetime to the `IntoIter` type, and updating the signature of `Vec::into_iter()` to constrain this lifetime.

Metadata

Created: 2023-01-20T21:54:22Z
Modified: 2023-01-20T21:54:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-f85w-wvc7-crwc/GHSA-f85w-wvc7-crwc.json
CWE IDs: []
Alternative ID: N/A
Finding: F067
Auto approve: 1