OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-01 01:00:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add advisory for tokio-rs/tokio#4225 (#1106)

Browse Source 
* Add advisory for tokio-rs/tokio#4225

If a `tokio::sync::oneshot` channel is closed (via the
[`oneshot::Receiver::close`] method), a data race may occur if the
`oneshot::Sender::send` method is called while the corresponding
`oneshot::Receiver` is `await`ed or calling `try_recv`.

When these methods are called concurrently on a closed channel, the two halves
of the channel can concurrently access a shared memory location, resulting in a
data race. This has been observed to [cause memory corruption][corruption].

Note that the race only occurs when **both** halves of the channel are used
after one half has called `close`. Code where `close` is not used, or where the
`Receiver` is not `await`ed and `try_recv` is not called after calling `close`,
is not affected.

See tokio-rs/tokio#4225 for more details.

This issue was patched in v1.13.1. The patch was backported to the current
LTS version (v1.8.x) in release v1.8.4.

* Update crates/tokio/RUSTSEC-0000-0000.md

Co-authored-by: Tony Arcieri <bascule@gmail.com>

* fix toml lint

whoops

* Update crates/tokio/RUSTSEC-0000-0000.md

* Update crates/tokio/RUSTSEC-0000-0000.md

Co-authored-by: Tony Arcieri <bascule@gmail.com>
This commit is contained in:
Eliza Weisman
2021-11-16 15:02:09 -08:00
committed by GitHub
parent 2a4f5887aa
commit 5f68bbad79
1 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
crates/tokio/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,38 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "tokio"
date = "2021-11-16"
url = "https://github.com/tokio-rs/tokio/issues/4225"
categories = ["memory-corruption", "thread-safety"]
keywords = ["race condition"]
[versions]
patched = [">= 1.8.4, < 1.9.0", ">= 1.13.1"]
unaffected = ["< 0.1.14"]
[affected.functions]
"tokio::sync::oneshot::Receiver::close" = ["<= 1.13.0, >= 0.1.14"]
```
# Data race when sending and receiving after closing a `oneshot` channel
If a `tokio::sync::oneshot` channel is closed (via the
[`oneshot::Receiver::close`] method), a data race may occur if the
`oneshot::Sender::send` method is called while the corresponding
`oneshot::Receiver` is `await`ed or calling `try_recv`.
When these methods are called concurrently on a closed channel, the two halves
of the channel can concurrently access a shared memory location, resulting in a
data race. This has been observed to [cause memory corruption][corruption].
Note that the race only occurs when **both** halves of the channel are used
after the `Receiver` half has called `close`. Code where `close` is not used, or where the
`Receiver` is not `await`ed and `try_recv` is not called after calling `close`,
is not affected.
See [tokio#4225][issue] for more details.
[corruption]: https://github.com/tokio-rs/tokio/issues/4225#issuecomment-967434847
[issue]: https://github.com/tokio-rs/tokio/issues/4225
[`oneshot::Receiver::close`]: https://docs.rs/tokio/1.14.0/tokio/sync/oneshot/struct.Receiver.html#method.close