- Reported
-
- Issued
-
- Package
-
bumpalo
(crates.io)
- Type
-
INFO
Unsound
- Categories
-
- Keywords
-
#use-after-free
- Aliases
-
- References
-
- Patched
-
- Unaffected
-
- Affected Functions
- Version
bumpalo::collections::vec::Vec::into_iter
-
Description
In affected versions of this crate, the lifetime of the iterator produced by
Vec::into_iter()
is not constrained to the lifetime of the Bump
that
allocated the vector's memory. Using the iterator after the Bump
is dropped
causes use-after-free accesses.
The following example demonstrates memory corruption arising from a misuse of
this unsoundness.
use bumpalo::{collections::Vec, Bump};
fn main() {
let bump = Bump::new();
let mut vec = Vec::new_in(&bump);
vec.extend([0x01u8; 32]);
let into_iter = vec.into_iter();
drop(bump);
for _ in 0..100 {
let reuse_bump = Bump::new();
let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]);
}
for x in into_iter {
print!("0x{:02x} ", x);
}
println!();
}
The issue was corrected in version 3.11.1 by adding a lifetime to the IntoIter
type, and updating the signature of Vec::into_iter()
to constrain this
lifetime.
Advisory available under CC0-1.0
license.