enumflags2::make_bitflags unsoundness (#1686)

2025-12-28 23:36:15 +01:00 · 2023-04-23 22:32:26 +02:00
parent cab69cc909
commit 0444576c2a
1 changed files with 48 additions and 0 deletions
--- a/crates/enumflags2/RUSTSEC-0000-0000.md
+++ b/crates/enumflags2/RUSTSEC-0000-0000.md
@@ -0,0 +1,48 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "enumflags2"
+date = "2023-04-17"
+url = "https://github.com/meithecatte/enumflags2/releases/tag/v0.7.7"
+informational = "unsound"
+
+# [affected.macros]
+# "enumflags2::make_bitflags" = ["< 0.7.7, >= 0.7.0"]
+
+[versions]
+patched = [">= 0.7.7"]
+
+unaffected = ["< 0.7.0"]
+```
+
+# Adverserial use of `make_bitflags!` macro can cause undefined behavior
+
+The macro relied on an expression of the form `Enum::Variant` always being a
+variant of the enum. However, it may also be an associated integer constant, in
+which case there's no guarantee that the value of said constant consists only of
+bits valid for this bitflag type.
+
+Thus, code like this could create an invalid `BitFlags<Test>`, which would cause
+iterating over it to trigger undefined behavior. As the debug formatter
+internally iterates over the value, it is also affected.
+
+```rust
+use enumflags2::{bitflags, make_bitflags};
+
+#[bitflags]
+#[repr(u8)]
+#[derive(Copy, Clone, Debug)]
+enum Test {
+    A = 1,
+    B = 2,
+}
+
+impl Test {
+    const C: u8 = 69;
+}
+
+fn main() {
+    let x = make_bitflags!(Test::{C});
+    // printing or iterating over x is UB
+}
+```