Skip to content

Qwaz/rust-cve

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Rust CVE

Preface

This is a list of CVEs for unsound APIs in the Rust standard library. These bugs break Rust's memory safety guarantee and lead to security issues when triggered. Fortunately, they are context-sensitive library APIs that are not usually used in a way that the bugs can be triggered. Many of them require very specific interaction to trigger (e.g., partially consume an iterator and zip() it with another iterator) that is not likely to appear in their daily usage.

Yet, we can't say for sure that there is no code out there using these APIs in a bug-triggering way. Moreover, certain applications such as TockOS and RedLeaf that use Rust's type system as an isolation mechanism can be easily attacked with these bugs. Hence, it is important to signal the existence of these bugs, and I found that issuing a CVE number and creating a RustSec advisory is the most effective way to do so.

†: Reported by me ‡: Reported as part of Rudra project

CVE List

CVE Issue # Title Affected RustSec
CVE-2015-20001 25842 Panic safety violation in BinaryHeap >= 1.0.0, < 1.2.0 link
CVE-2017-20004 41622 MutexGuard<Cell<i32>> must not be Sync >= 1.0.0, < 1.19.0 link
CVE-2018-1000657 44800 Buffer overflow vulnerability in VecDeque::reserve() >= 1.3.0, < 1.22.0 link
CVE-2018-1000810 54399 Buffer overflow vulnerability in str::repeat() >= 1.26.0, < 1.29.1 link
CVE-2018-25008 51780 Insufficient synchronization in Arc::get_mut >= 1.3.0, < 1.29.0 link
CVE-2019-1010299 53566 vec_deque::Iter has unsound Debug implementation >= 1.18.0, < 1.30.0 link
CVE-2019-12083 60787 Memory safety vulnerabilities arising from Error::type_id >= 1.34.0, < 1.34.2 link
CVE-2020-36317 78498 String::retain allows safely creating invalid strings when abusing panic >= 1.26.0, < 1.49.0 link
CVE-2020-36318 79808 VecDeque::make_contiguous may duplicate the contained elements >= 1.48.0, < 1.49.0 link
CVE-2020-36323 80335‡ API soundness issue in join() implementation of [Borrow<str>] >= 1.28.0, < 1.52.0 link
CVE-2021-28875 80894‡ Logic bug in Read can cause buffer overflow in read_to_end() >= 1.20.0, < 1.50.0 link
CVE-2021-28876 81740† Panic safety issue in Zip specialization >= 1.14.0, < 1.52.0 link
CVE-2021-28877 80670 TrustedRandomAaccess specialization composes incorrectly for nested iter::Zips >= 1.11.0, < 1.51.0 link
CVE-2021-28878 82291 Zip may call __iterator_get_unchecked twice with the same index >= 1.14.0, < 1.52.0 link
CVE-2021-28879 82282† Zip can cause buffer overflow when a consumed Zip iterator is used again >= 1.14.0, < 1.52.0 link
CVE-2021-31162 83618† Double free in Vec::from_iter specialization when drop panics >= 1.48.0, < 1.52.0 link

Backlog

These are soundness bugs that I plan to apply CVE IDs for. Note that I focus on soundness bugs that arise from misuse of unsafe Rust code in the standard library, so certain soundness bugs are not included in this list such as type-system bugs (e.g., #25860) or environmental bugs (e.g., #81996). I'll still update the CVE list above if such bug get assigned a CVE ID.

Issue # Title Affected CVE ID Requested
81138 String::replace_range is unsound TODO No
85322 The implementation of InPlaceIterable for Peekable is unsound TODO No
85613† Double free in Vec::dedup_by when T's drop panics TODO No
85813 Unsound Debug impl for collections::linked_list::IterMut TODO No
85873 TrustedRandomAccess optimization for Zip containing vec::IntoIter is unsound TODO No
86443† Panic safety issue in Zip::next_back() TrustedRandomAccess specialization TODO No

About

CVEs for the Rust standard library

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages