From e4784fd31210e747cc6722cc3f370e4d4178ca4a Mon Sep 17 00:00:00 2001 From: Shnatsel Date: Sat, 31 Oct 2020 13:16:00 +0000 Subject: [PATCH] Assigned RUSTSEC-2020-0061 to futures-task --- ...TSEC-0000-0000.md => RUSTSEC-2020-0061.md} | 64 +++++++++---------- 1 file changed, 32 insertions(+), 32 deletions(-) rename crates/futures-task/{RUSTSEC-0000-0000.md => RUSTSEC-2020-0061.md} (90%) diff --git a/crates/futures-task/RUSTSEC-0000-0000.md b/crates/futures-task/RUSTSEC-2020-0061.md similarity index 90% rename from crates/futures-task/RUSTSEC-0000-0000.md rename to crates/futures-task/RUSTSEC-2020-0061.md index ffca707..75029ca 100644 --- a/crates/futures-task/RUSTSEC-0000-0000.md +++ b/crates/futures-task/RUSTSEC-2020-0061.md @@ -1,32 +1,32 @@ -```toml -[advisory] -id = "RUSTSEC-0000-0000" -package = "futures-task" -date = "2020-05-03" -url = "https://github.com/rust-lang/futures-rs/issues/2091" -categories = ["denial-of-service"] -keywords = ["NULL pointer dereference", "memory-management"] -[versions] -patched = [">= 0.3.5"] -[affected] -functions = { "futures_task::noop_waker_ref" = [">= 0.3.0"] } -``` - -# futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer - -Affected versions of the crate used a `UnsafeCell` in thread-local storage to return a noop waker reference, -assuming that the reference would never be returned from another thread. - -This resulted in a segmentation fault crash if `Waker::wake_by_ref()` was called on a waker returned from another thread due to -it attempting to dereference a pointer that wasn't accesible from the main thread. - -Reproduction Example (from issue): -```rust -use futures_task::noop_waker_ref; -fn main() { - let waker = std::thread::spawn(|| noop_waker_ref()).join().unwrap(); - waker.wake_by_ref(); -} -``` - -The flaw was corrected by using a `OnceCell::Lazy<>` wrapper around the noop waker instead of thread-local storage. \ No newline at end of file +```toml +[advisory] +id = "RUSTSEC-2020-0061" +package = "futures-task" +date = "2020-05-03" +url = "https://github.com/rust-lang/futures-rs/issues/2091" +categories = ["denial-of-service"] +keywords = ["NULL pointer dereference", "memory-management"] +[versions] +patched = [">= 0.3.5"] +[affected] +functions = { "futures_task::noop_waker_ref" = [">= 0.3.0"] } +``` + +# futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer + +Affected versions of the crate used a `UnsafeCell` in thread-local storage to return a noop waker reference, +assuming that the reference would never be returned from another thread. + +This resulted in a segmentation fault crash if `Waker::wake_by_ref()` was called on a waker returned from another thread due to +it attempting to dereference a pointer that wasn't accesible from the main thread. + +Reproduction Example (from issue): +```rust +use futures_task::noop_waker_ref; +fn main() { + let waker = std::thread::spawn(|| noop_waker_ref()).join().unwrap(); + waker.wake_by_ref(); +} +``` + +The flaw was corrected by using a `OnceCell::Lazy<>` wrapper around the noop waker instead of thread-local storage.