OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-27 06:29:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

raw-cpuid: Multiple soundness issues

Browse Source
This commit is contained in:
Niklas Fiekas
2021-01-20 17:47:48 +01:00
parent 4250822874
commit bf41ad844a
1 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
crates/raw-cpuid/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,59 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "raw-cpuid"
date = "2021-01-20"
url = "https://github.com/RustSec/advisory-db/pull/614"
categories = ["crash", "memory-corruption"]
[versions]
patched = [">= TODO"]
[affected]
arch = ["x86", "x86_64"]
```
# Multiple soundness issues in `raw-cpuid`
## Undefined behavior in `as_string()` methods
`VendorInfo::as_string()`, `SoCVendorBrand::as_string()`,
and `ExtendedFunctionInfo::processor_brand_string()` construct byte slices
using `std::slice::from_raw_parts()`, with data coming from
`#[repr(Rust)]` structs. This is always undefined behavior.
See https://github.com/gz/rust-cpuid/issues/40.
TODO: The flaw has been corrected by making the relevant structs `#[repr(C)]`.
## Combination of `Deserialize` and `as_string()` is unsound
The `as_string()` methods then proceed to use
`std::str::from_utf8_unchecked()`, which is usually valid, because real vendor
names etc. are specified to be ASCII. However, if the `serialize` feature is
enabled, it is also possible to construct the structs with arbitrary values
using their `serde::Deserialize` implementation, thus causing undefined
behavior in safe code.
See https://github.com/gz/rust-cpuid/issues/43.
## `native_cpuid::cpuid_count()` is technically unsound
`native_cpuid::cpuid_count()` exposes the unsafe `__cpuid_count()` intrinsic
from `core::arch::x86` or `core::arch::x86_64` as a safe function, without
checking the
[safety requirement](https://doc.rust-lang.org/core/arch/index.html#overview)
> The CPU the program is currently running on supports the function being
> called.
which is true for most, but not all, x86/x86_64 CPUs. The crate compiles only
on these architectures, so others are unaffected.
The function is exposed transitively by the `cpuid!()` macro and used by most
of the crate.
This flaw is mitigated by the fact that affected programs are expected to crash
deterministically every time.
See https://github.com/gz/rust-cpuid/issues/41.