mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-01-03 18:15:23 +01:00
58 lines
1.7 KiB
Markdown
58 lines
1.7 KiB
Markdown
```toml
|
|
[advisory]
|
|
id = "RUSTSEC-2022-0010"
|
|
package = "enum-map"
|
|
date = "2022-02-17"
|
|
url = "https://gitlab.com/KonradBorowski/enum-map/-/blob/master/CHANGELOG.md#version-202"
|
|
categories = ["code-execution", "memory-corruption", "memory-exposure"]
|
|
informational = "unsound"
|
|
aliases = ["GHSA-rxhx-9fj6-6h2m"]
|
|
|
|
[versions]
|
|
patched = [">= 2.0.2"]
|
|
unaffected = ["< 2.0.0-2"]
|
|
```
|
|
|
|
# enum_map macro can cause UB when `Enum` trait is incorrectly implemented
|
|
|
|
Affected versions of this crate did not properly check the length of an enum when using `enum_map!` macro, trusting user-provided length.
|
|
|
|
When the `LENGTH` in the `Enum` trait does not match the array length in the `EnumArray` trait, this can result in the initialization of the enum map with uninitialized types, which in turn can allow an attacker to execute arbitrary code.
|
|
|
|
This problem can only occur with a manual implementation of the Enum trait, it will never occur for enums that use `#[derive(Enum)]`.
|
|
|
|
Example code that triggers this vulnerability looks like this:
|
|
|
|
```rust
|
|
enum E {
|
|
A,
|
|
B,
|
|
C,
|
|
}
|
|
|
|
impl Enum for E {
|
|
const LENGTH: usize = 2;
|
|
|
|
fn from_usize(value: usize) -> E {
|
|
match value {
|
|
0 => E::A,
|
|
1 => E::B,
|
|
2 => E::C,
|
|
_ => unimplemented!(),
|
|
}
|
|
}
|
|
|
|
fn into_usize(self) -> usize {
|
|
self as usize
|
|
}
|
|
}
|
|
|
|
impl<V> EnumArray<V> for E {
|
|
type Array = [V; 3];
|
|
}
|
|
|
|
let _map: EnumMap<E, String> = enum_map! { _ => "Hello, world!".into() };
|
|
```
|
|
|
|
The flaw was corrected in commit [b824e23](https://gitlab.com/KonradBorowski/enum-map/-/commit/b824e232f2fb47837740070096ac253df8e80dfc) by putting `LENGTH` property on sealed trait for macro to read.
|