From 5cc058955173015a23bc80cafb4a576af7ea9946 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Fri, 14 Aug 2020 18:22:30 +0200 Subject: [PATCH 1/3] Add advisory for rgb --- crates/rgb/RUSTSEC-0000-0000.toml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 crates/rgb/RUSTSEC-0000-0000.toml diff --git a/crates/rgb/RUSTSEC-0000-0000.toml b/crates/rgb/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..f08b91b --- /dev/null +++ b/crates/rgb/RUSTSEC-0000-0000.toml @@ -0,0 +1,21 @@ +[advisory] +id = "RUSTSEC-0000-0000" +package = "rgb" +date = "2020-10-14" +title = "Allows viewing and modifying arbitrary structs as bytes" +url = "https://github.com/kornelski/rust-rgb/issues/35" +informational = "unsound" +keywords = ["type confusion"] +description = """ +Affected versions of rgb crate allow viewing and modifying data any type `T` wrapped in `RGB` as bytes, +and do not correctly constrain `RGB` and other wrapper structures to the types for which it is safe to do so. + +If a type containing madding is wrapped in `RGB` and similar wrapper structures, +viewing it as bytes may lead to exposure of contents of uninitialized memory. + +If a type containing a pointer is wrapped in `RGB` and similar wrapper structures, +modifying it as bytes may lead to derefericing of arbitrary pointers. +""" +[versions] +patched = [">= 0.8.20"] +unaffected = ["< 0.5.4"] From a61e5b2ca632aa8ac3b3c75a7823339dce2faf6a Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Fri, 14 Aug 2020 21:19:39 +0200 Subject: [PATCH 2/3] Fix spelling Co-authored-by: HeroicKatora --- crates/rgb/RUSTSEC-0000-0000.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crates/rgb/RUSTSEC-0000-0000.toml b/crates/rgb/RUSTSEC-0000-0000.toml index f08b91b..f2299c3 100644 --- a/crates/rgb/RUSTSEC-0000-0000.toml +++ b/crates/rgb/RUSTSEC-0000-0000.toml @@ -7,14 +7,14 @@ url = "https://github.com/kornelski/rust-rgb/issues/35" informational = "unsound" keywords = ["type confusion"] description = """ -Affected versions of rgb crate allow viewing and modifying data any type `T` wrapped in `RGB` as bytes, +Affected versions of rgb crate allow viewing and modifying data of any type `T` wrapped in `RGB` as bytes, and do not correctly constrain `RGB` and other wrapper structures to the types for which it is safe to do so. -If a type containing madding is wrapped in `RGB` and similar wrapper structures, +If a type containing padding is wrapped in `RGB` and similar wrapper structures, viewing it as bytes may lead to exposure of contents of uninitialized memory. If a type containing a pointer is wrapped in `RGB` and similar wrapper structures, -modifying it as bytes may lead to derefericing of arbitrary pointers. +modifying it as bytes may lead to dereferencing of arbitrary pointers. """ [versions] patched = [">= 0.8.20"] From 9611ff4c0e01ca8673a509836e9ac880fffce7e7 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Fri, 14 Aug 2020 21:24:17 +0200 Subject: [PATCH 3/3] Added note about invariants, specified resolution --- crates/rgb/RUSTSEC-0000-0000.toml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/crates/rgb/RUSTSEC-0000-0000.toml b/crates/rgb/RUSTSEC-0000-0000.toml index f2299c3..2a8d21f 100644 --- a/crates/rgb/RUSTSEC-0000-0000.toml +++ b/crates/rgb/RUSTSEC-0000-0000.toml @@ -10,11 +10,13 @@ description = """ Affected versions of rgb crate allow viewing and modifying data of any type `T` wrapped in `RGB` as bytes, and do not correctly constrain `RGB` and other wrapper structures to the types for which it is safe to do so. -If a type containing padding is wrapped in `RGB` and similar wrapper structures, -viewing it as bytes may lead to exposure of contents of uninitialized memory. +Safety violation possible for a type wrapped in `RGB` and similar wrapper structures: -If a type containing a pointer is wrapped in `RGB` and similar wrapper structures, -modifying it as bytes may lead to dereferencing of arbitrary pointers. + * If `T` contains padding, viewing it as bytes may lead to exposure of contents of uninitialized memory. + * If `T` contains a pointer, modifying it as bytes may lead to dereferencing of arbitrary pointers. + * Any safety and/or validity invariants for `T` may be violated. + +The issue was resolved by requiring all types wrapped in structures provided by RGB crate to implement an unsafe marker trait. """ [versions] patched = [">= 0.8.20"]