From 0444576c2a327314757d7433dbabc101d349a326 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maja=20K=C4=85dzio=C5=82ka?= <maya@compilercrim.es>
Date: Sun, 23 Apr 2023 22:32:26 +0200
Subject: [PATCH] enumflags2::make_bitflags unsoundness (#1686)

---
 crates/enumflags2/RUSTSEC-0000-0000.md | 48 ++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 crates/enumflags2/RUSTSEC-0000-0000.md

diff --git a/crates/enumflags2/RUSTSEC-0000-0000.md b/crates/enumflags2/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..9301d1f
--- /dev/null
+++ b/crates/enumflags2/RUSTSEC-0000-0000.md
@@ -0,0 +1,48 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "enumflags2"
+date = "2023-04-17"
+url = "https://github.com/meithecatte/enumflags2/releases/tag/v0.7.7"
+informational = "unsound"
+
+# [affected.macros]
+# "enumflags2::make_bitflags" = ["< 0.7.7, >= 0.7.0"]
+
+[versions]
+patched = [">= 0.7.7"]
+
+unaffected = ["< 0.7.0"]
+```
+
+# Adverserial use of `make_bitflags!` macro can cause undefined behavior
+
+The macro relied on an expression of the form `Enum::Variant` always being a
+variant of the enum. However, it may also be an associated integer constant, in
+which case there's no guarantee that the value of said constant consists only of
+bits valid for this bitflag type.
+
+Thus, code like this could create an invalid `BitFlags<Test>`, which would cause
+iterating over it to trigger undefined behavior. As the debug formatter
+internally iterates over the value, it is also affected.
+
+```rust
+use enumflags2::{bitflags, make_bitflags};
+
+#[bitflags]
+#[repr(u8)]
+#[derive(Copy, Clone, Debug)]
+enum Test {
+    A = 1,
+    B = 2,
+}
+
+impl Test {
+    const C: u8 = 69;
+}
+
+fn main() {
+    let x = make_bitflags!(Test::{C});
+    // printing or iterating over x is UB
+}
+```