From 8b0681777f479f3275478d88cd66aea9ad580eac Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Sun, 14 Feb 2021 19:13:16 -0500 Subject: [PATCH] Add use-after-free advisory for `yottadb 1.1.0` and earlier Note that this does not have an `informational = "unsound"` field because the use-after-free can occur even with normal use of the library, not with specially crafted or malicious usages. --- crates/yottadb/RUSTSEC-0000-0000.md | 41 +++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 crates/yottadb/RUSTSEC-0000-0000.md diff --git a/crates/yottadb/RUSTSEC-0000-0000.md b/crates/yottadb/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..30674d7 --- /dev/null +++ b/crates/yottadb/RUSTSEC-0000-0000.md @@ -0,0 +1,41 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "yottadb" +date = "2021-02-09" +url = "https://gitlab.com/YottaDB/Lang/YDBRust/-/issues/40" +categories = ["memory-corruption"] +keywords = ["use-after-free"] + +[versions] +patched = [">= 1.2.0"] + +[affected.functions] +"yottadb::Key::sub_next_self_st" = ["< 1.2.0"] +"yottadb::Key::sub_prev_self_st" = ["< 1.2.0"] +"yottadb::KeyContext::sub_next_self_st" = ["< 1.2.0"] +"yottadb::KeyContext::sub_prev_self_st" = ["< 1.2.0"] +``` + +# Use-after-free in `subscript_next` and `subscript_prev` wrappers + +Affected versions of this crate had an unsound implementation which could pass +a pointer to freed memory to `ydb_subscript_next_st` and +`ydb_subscript_prev_st` if the variable and subscripts did not have enough +memory allocated on the first call to hold the next variable in the database. + +For example, the following code had undefined behavior: + +```rust +let mut key = Key::variable(String::from("a")); +Key::variable("averylongkeywithlotsofletters") + .set_st(YDB_NOTTP, Vec::new(), b"some val") + .unwrap(); +key.sub_next_self_st(YDB_NOTTP, Vec::new()).unwrap(); +``` + +`yottadb` has no reverse-dependencies on crates.io and there are no known +instances of this API being used incorrectly in practice. The fix is backwards +compatible. + +The flaw was corrected by recalculating the pointer each time it was reallocated.