- Reported
-
- Issued
-
- Package
-
linked_list_allocator
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Aliases
-
- References
-
- CVSS Score
- 8.4
HIGH
- CVSS Details
-
- Attack vector
- Local
- Attack complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
- CVSS Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Patched
-
Description
- The heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than
3 * size_of::<usize>
because of metadata write operations.
- When calling
Heap::extend
with a size smaller than two usize
s (e.g., 16 on x86_64
), the size was erroneously rounded up to the minimum size, which could result in an out-of-bounds write.
- Calling
Heap::extend
on an empty heap tried to construct a heap starting at address 0, which is also an out-of-bounds write.
- One specific way to trigger this accidentally is to call
Heap::new
(or a similar constructor) with a heap size that is smaller than two usize
s. This was treated as an empty heap as well.
- Calling
Heap::extend
on a heap whose size is not a multiple of the size of two usize
s resulted in unaligned writes. It also left the heap in an unexpected state, which might lead to subsequent issues. We did not find a way to exploit this undefined behavior yet (apart from DoS on platforms that fault on unaligned writes).
Advisory available under CC0-1.0
license.