Reported

January 11, 2023

Issued

February 3, 2023 (last modified: June 13, 2023)

Package

tokio (crates.io)

Type

INFO Unsound

Categories

• memory-exposure

Aliases

• GHSA-4q83-7cq4-p6wg

References

• https://github.com/tokio-rs/tokio/issues/5372

Patched

• >=1.18.5, <1.19.0
• >=1.20.4, <1.21.0
• >=1.24.2

Unaffected

• <0.2.0

Description

tokio::io::ReadHalf<T>::unsplit can violate the Pin contract

The soundness issue is described in the tokio/issues#5372

Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code.

The tokio feature io-util is also required to be enabled to trigger this soundness issue.

Thanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e and carllerche appropriately responding and fixing the soundness bug.

Tokio before 0.2.0 used futures 0.1 that did not have Pin, so it is not affected by this issue.

Advisory available under CC0-1.0 license.