Reported

May 31, 2020

Issued

January 19, 2021 (last modified: June 13, 2023)

Package

sys-info (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Keywords

#concurrency #double-free

Aliases

• CVE-2020-36434
• GHSA-2f5j-3mhq-xv58

References

• https://github.com/FillZpp/sys-info-rs/issues/63

CVSS Score

9.8 CRITICAL

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.8.0

Affected OSes

• linux

Affected Functions

Version

sys_info::disk_info

• <=0.1.1

Description

Affected versions of sys-info use a static, global, list to store temporary disk information while running. The function that cleans up this list, DFCleanup, assumes a single threaded environment and will try to free the same memory twice in a multithreaded environment.

This results in consistent double-frees and segfaults when calling sys_info::disk_info from multiple threads at once.

The issue was fixed by moving the global variable into a local scope.

Safer Alternatives:

• sysinfo

Advisory available under CC0-1.0 license.