HistoryEdit

RUSTSEC-2020-0062

Improper Sync implementation on FuturesUnordered in futures-utils can cause data corruption

Issued
Package
futures-util (crates.io)
Type
Vulnerability
Categories
Keywords
#concurrency #memory-corruption #memory-management
Aliases
Details
https://github.com/rust-lang/futures-rs/issues/2050
CVSS Score
5.5 MEDIUM
CVSS Details
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Patched
  • >=0.3.2
Unaffected
  • <0.3.0
Keywords
#concurrency #memory-corruption #memory-management
Affected Functions
Version
futures_util::stream::FuturesUnordered
  • >=0.3.0

Description

Affected versions of the crate had an unsound Sync implementation on the FuturesUnordered structure, which used a Cell for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely.

This could of lead to data corruption since two threads modifying the list at once could see incorrect values due to the lack of access synchronization.

The issue was fixed by adding access synchronization code around insertion of tasks into the list.