- Reported
-
- Issued
-
- Package
-
arenavec
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#memory-safety
#buffer-overflow
#double-free
#raw-pointer
- References
-
- Patched
-
no patched versions
- Affected Functions
- Version
arenavec::common::AllocHandle::allocate-
arenavec::common::AllocHandle::allocate_or_extend-
arenavec::common::SliceVec::split_off-
arenavec::common::allocate_inner-
Description
The crate has the following vulnerabilities:
-
The public trait arenavec::common::AllocHandle allows the return of raw pointers through its methods allocate and allocate_or_extend. However, the trait is not marked as unsafe, meaning users of the crate may implement it under the assumption that the library safely handles the returned raw pointers. These raw pointers can later be dereferenced within safe APIs of the crate-such as arenavec::common::SliceVec::push-potentially leading to arbitrary memory access.
-
The safe API arenavec::common::SliceVec::reserve can reach the private function arenavec::common::allocate_inner. Incorrect behavior in allocate_inner may result in a SliceVec with an increased capacity, even though the underlying memory has not actually been expanded. This mismatch between SliceVec.capacity and the actual reserved memory can lead to a heap buffer overflow.
-
The safe API arenavec::common::SliceVec::split_off can duplicate the ownership of the elements in self (of type SliceVec) if they implement the Drop trait. Specifically, when at == 0, the method returns a new SliceVec with the same length as self. Since both self and the returned object point to the same heap memory, dropping one will deallocate the shared memory. When the other is subsequently dropped, it will attempt to free the same memory again, resulting in a double free violation.
Advisory available under CC0-1.0
license.