diff --git a/crates/linked_list_allocator/RUSTSEC-0000-0000.md b/crates/linked_list_allocator/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..2903826 --- /dev/null +++ b/crates/linked_list_allocator/RUSTSEC-0000-0000.md @@ -0,0 +1,22 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "linked_list_allocator" +date = "2022-09-07" +url = "https://github.com/advisories/GHSA-xg8p-34w2-j49j" +categories = ["memory-corruption"] +aliases = ["CVE-2022-36086"] +cvss = "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + +[versions] +patched = [">= 0.10.2"] +unaffected = [] +``` + +# Multiple vulnerabilities resulting in out-of-bounds writes + +* The heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to **out-of-bound writes** when a heap was initialized with a size smaller than `3 * size_of::` because of metadata write operations. +* When calling `Heap::extend` with a size smaller than two `usize`s (e.g., 16 on `x86_64`), the size was erroneously rounded up to the minimum size, which could result in an **out-of-bounds write**. +* Calling `Heap::extend` on an empty heap tried to construct a heap starting at address 0, which is also an **out-of-bounds write**. + * One specific way to trigger this accidentally is to call `Heap::new` (or a similar constructor) with a heap size that is smaller than two `usize`s. This was treated as an empty heap as well. +* Calling `Heap::extend` on a heap whose size is not a multiple of the size of two `usize`s resulted in unaligned writes. It also left the heap in an unexpected state, which might lead to subsequent issues. We did not find a way to exploit this undefined behavior yet (apart from DoS on platforms that fault on unaligned writes).