OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-26 16:07:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

prepare first part of raw-cpuid advisory, add solutions

Browse Source
This commit is contained in:
Niklas Fiekas
2021-01-24 21:19:04 +01:00
parent bf41ad844a
commit 2e01144dc4
1 changed files with 16 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
crates/raw-cpuid/RUSTSEC-0000-0000.md
View File

@@ -4,16 +4,16 @@ id = "RUSTSEC-0000-0000"
package = "raw-cpuid"
date = "2021-01-20"
url = "https://github.com/RustSec/advisory-db/pull/614"
categories = ["crash", "memory-corruption"]
categories = ["memory-corruption", "denial-of-service"]
[versions]
patched = [">= TODO"]
patched = [">= 9.0.0"]
[affected]
arch = ["x86", "x86_64"]
```
# Multiple soundness issues in `raw-cpuid`
# Soundness issues in `raw-cpuid`
## Undefined behavior in `as_string()` methods
@@ -24,36 +24,26 @@ using `std::slice::from_raw_parts()`, with data coming from
See https://github.com/gz/rust-cpuid/issues/40.
TODO: The flaw has been corrected by making the relevant structs `#[repr(C)]`.
This flaw has been fixed in v9.0.0, by making the relevant structs
`#[repr(C)]`.
## Combination of `Deserialize` and `as_string()` is unsound
The `as_string()` methods then proceed to use
`std::str::from_utf8_unchecked()`, which is usually valid, because real vendor
names etc. are specified to be ASCII. However, if the `serialize` feature is
enabled, it is also possible to construct the structs with arbitrary values
using their `serde::Deserialize` implementation, thus causing undefined
behavior in safe code.
See https://github.com/gz/rust-cpuid/issues/43.
## `native_cpuid::cpuid_count()` is technically unsound
## `native_cpuid::cpuid_count()` is unsound
`native_cpuid::cpuid_count()` exposes the unsafe `__cpuid_count()` intrinsic
from `core::arch::x86` or `core::arch::x86_64` as a safe function, without
checking the
[safety requirement](https://doc.rust-lang.org/core/arch/index.html#overview)
from `core::arch::x86` or `core::arch::x86_64` as a safe function, and uses
it internally, without checking the
[safety requirement](https://doc.rust-lang.org/core/arch/index.html#overview):
> The CPU the program is currently running on supports the function being
> called.
which is true for most, but not all, x86/x86_64 CPUs. The crate compiles only
on these architectures, so others are unaffected.
CPUID is available in most, but not all, x86/x86_64 environments. The crate
compiles only on these architectures, so others are unaffected.
The function is exposed transitively by the `cpuid!()` macro and used by most
of the crate.
This flaw is mitigated by the fact that affected programs are expected to crash
deterministically every time.
This issue is mitigated by the fact that affected programs are expected
to crash deterministically every time.
See https://github.com/gz/rust-cpuid/issues/41.
The flaw has been fixed in v9.0.0, by intentionally breaking compilation
when targetting SGX or 32-bit x86 without SSE. This covers all affected CPUs.