From 2c791341a0053c43c509fd34512ff285d8691729 Mon Sep 17 00:00:00 2001 From: Kane York Date: Thu, 29 Feb 2024 19:25:45 -0800 Subject: [PATCH] Add non-informational crayon advisory (#1900) * Add second crayon advisory The crate already has an informational advisory, and this is clearly a separate issue despite affecting the same code. * Adjust language to not imply intent w/ clippy The warning silence was in a big pile of other changes and not necessarily done with intent to hide the issue. --- crates/crayon/RUSTSEC-0000-0000.md | 40 ++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 crates/crayon/RUSTSEC-0000-0000.md diff --git a/crates/crayon/RUSTSEC-0000-0000.md b/crates/crayon/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..cbf0888 --- /dev/null +++ b/crates/crayon/RUSTSEC-0000-0000.md @@ -0,0 +1,40 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "crayon" +date = "2024-02-27" +url = "https://github.com/shawnscode/crayon/issues/109" +categories = ["memory-corruption"] +keywords = ["std::mem::uninitialized", "address-sanitizer"] + +[versions] +patched = [] +unaffected = ["< 0.6.0"] +[affected] +functions = { "crayon::utils::object_pool::ObjectPool::free" = [">=0.6.0"] } +``` + +# ObjectPool creates uninitialized memory when freeing objects + +As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its +type parameter when it attempts to free an object, and swaps it into the storage. This +causes instant undefined behavior due to reading the uninitialized memory in order to +write it to the pool storage. + +Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest: + +```rust +use crayon::prelude::*; +application::oneshot().unwrap(); + +let mut params = MeshParams::default(); + +let mesh = video::create_mesh(params, None).unwrap(); + +// Deletes the mesh object. +video::delete_mesh(mesh); // <-- UB +``` + +The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5. + +Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1