RUSTSEC-2021-0031

split_at allows obtaining multiple mutable references to the same data

Issued
Package
nano_arena (crates.io)
Type
Vulnerability
Categories
  • memory-corruption
Aliases
Details
https://github.com/bennetthardwick/nano-arena/issues/1
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched
  • >=0.5.2
Keywords
  • memory-safety
  • aliasing
  • unsound
Affected Functions
Version
nano_arena::Arena::split_at
  • <0.5.2
nano_arena::ArenaSplit::split_at
  • <0.5.2

Description

Affected versions of this crate assumed that Borrow<Idx> was guaranteed to return the same value on .borrow(). The borrowed index value was used to retrieve a mutable reference to a value.

If the Borrow<Idx> implementation returned a different index, the split arena would allow retrieving the index as a mutable reference creating two mutable references to the same element. This violates Rust's aliasing rules and allows for memory safety issues such as writing out of bounds and use-after-frees.

The flaw was corrected in commit 6b83f9d by storing the .borrow() value in a temporary variable.

More