RUSTSEC-2021-0114

Aliased mutable references from tls_rand & TlsWyRand

Reported

September 23, 2021

Issued

September 23, 2021

Package

nanorand (crates.io)

Type

Vulnerability

Keywords

#memory-safety #aliasing

Details

https://github.com/Absolucy/nanorand-rs/issues/28

Patched

>=0.6.1

Unaffected

<0.5.0

Affected Functions

Version

nanorand::tls::tls_rand

>=0.5.0
<=0.6.0

Description

TlsWyRand's implementation of Deref unconditionally dereferences a raw pointer, and returns multiple mutable references to the same object, which is undefined behavior.