OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-23 15:38:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #462 from RustSec/assign-ids

Browse Source 
Assigned RUSTSEC-2020-0061 to futures-task
This commit is contained in:
Sergey "Shnatsel" Davidoff
2020-10-31 14:16:13 +01:00
committed by GitHub
parent 3a89b52370 e4784fd312
commit aed943c2d1
1 changed files with 32 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
crates/futures-task/RUSTSEC-0000-0000.md → crates/futures-task/RUSTSEC-2020-0061.md
View File

@@ -1,32 +1,32 @@
```toml ```toml
[advisory] [advisory]
id = "RUSTSEC-0000-0000" id = "RUSTSEC-2020-0061"
package = "futures-task" package = "futures-task"
date = "2020-05-03" date = "2020-05-03"
url = "https://github.com/rust-lang/futures-rs/issues/2091" url = "https://github.com/rust-lang/futures-rs/issues/2091"
categories = ["denial-of-service"] categories = ["denial-of-service"]
keywords = ["NULL pointer dereference", "memory-management"] keywords = ["NULL pointer dereference", "memory-management"]
[versions] [versions]
patched = [">= 0.3.5"] patched = [">= 0.3.5"]
[affected] [affected]
functions = { "futures_task::noop_waker_ref" = [">= 0.3.0"] } functions = { "futures_task::noop_waker_ref" = [">= 0.3.0"] }
``` ```
# futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer # futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer
Affected versions of the crate used a `UnsafeCell` in thread-local storage to return a noop waker reference, Affected versions of the crate used a `UnsafeCell` in thread-local storage to return a noop waker reference,
assuming that the reference would never be returned from another thread. assuming that the reference would never be returned from another thread.
This resulted in a segmentation fault crash if `Waker::wake_by_ref()` was called on a waker returned from another thread due to This resulted in a segmentation fault crash if `Waker::wake_by_ref()` was called on a waker returned from another thread due to
it attempting to dereference a pointer that wasn't accesible from the main thread. it attempting to dereference a pointer that wasn't accesible from the main thread.
Reproduction Example (from issue): Reproduction Example (from issue):
```rust ```rust
use futures_task::noop_waker_ref; use futures_task::noop_waker_ref;
fn main() { fn main() {
let waker = std::thread::spawn(|| noop_waker_ref()).join().unwrap(); let waker = std::thread::spawn(|| noop_waker_ref()).join().unwrap();
waker.wake_by_ref(); waker.wake_by_ref();
} }
``` ```
The flaw was corrected by using a `OnceCell::Lazy<>` wrapper around the noop waker instead of thread-local storage. The flaw was corrected by using a `OnceCell::Lazy<>` wrapper around the noop waker instead of thread-local storage.