Reported

May 31, 2020

Issued

January 19, 2021 (last modified: June 13, 2023)

Package

sys-info (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Keywords

#concurrency #double-free

Aliases

• CVE-2020-36434
• GHSA-2f5j-3mhq-xv58

References

• https://github.com/FillZpp/sys-info-rs/issues/63

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.8.0

Affected OSes

• linux

Affected Functions

Version

sys_info::disk_info

• <=0.1.1

Description

Affected versions of sys-info use a static, global, list to store temporary disk information while running. The function that cleans up this list, DFCleanup, assumes a single threaded environment and will try to free the same memory twice in a multithreaded environment.

This results in consistent double-frees and segfaults when calling sys_info::disk_info from multiple threads at once.

The issue was fixed by moving the global variable into a local scope.

Safer Alternatives:

• sysinfo

Advisory available under CC0-1.0 license.