OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-23 15:38:27 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
45a4e9ee37c0e71b4e1e845c0125a662cd096aba
advisory-db/crates/nano_arena/RUSTSEC-2021-0031.md
Alexis Mousset 8c05fea5fa Add cvss information from nvd (#1085)
2021-10-19 16:14:35 -06:00

1.1 KiB
Raw Blame History 

[advisory]
id = "RUSTSEC-2021-0031"
package = "nano_arena"
aliases = ["CVE-2021-28032"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
date = "2021-01-31"
url = "https://github.com/bennetthardwick/nano-arena/issues/1"
categories = ["memory-corruption"]
keywords = ["memory-safety", "aliasing", "unsound"]

[versions]
patched = [">= 0.5.2"]

[affected.functions]
"nano_arena::Arena::split_at" = ["< 0.5.2"]
"nano_arena::ArenaSplit::split_at" = ["< 0.5.2"]

split_at allows obtaining multiple mutable references to the same data

Affected versions of this crate assumed that Borrow<Idx> was guaranteed to return the same value on .borrow(). The borrowed index value was used to retrieve a mutable reference to a value.

If the Borrow<Idx> implementation returned a different index, the split arena would allow retrieving the index as a mutable reference creating two mutable references to the same element. This violates Rust's aliasing rules and allows for memory safety issues such as writing out of bounds and use-after-frees.

The flaw was corrected in commit 6b83f9d by storing the .borrow() value in a temporary variable.