- Reported
-
- Issued
-
- Package
-
arenavec
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#memory-safety
#buffer-overflow
#double-free
#raw-pointer
- References
-
- Patched
-
no patched versions
- Affected Functions
- Version
arenavec::common::AllocHandle::allocate
-
arenavec::common::AllocHandle::allocate_or_extend
-
arenavec::common::SliceVec::split_off
-
arenavec::common::allocate_inner
-
Description
The crate has the following vulnerabilities:
-
The public trait arenavec::common::AllocHandle
allows the return of raw pointers through its methods allocate
and allocate_or_extend
. However, the trait is not marked as unsafe, meaning users of the crate may implement it under the assumption that the library safely handles the returned raw pointers. These raw pointers can later be dereferenced within safe APIs of the crate-such as arenavec::common::SliceVec::push
-potentially leading to arbitrary memory access.
-
The safe API arenavec::common::SliceVec::reserve
can reach the private function arenavec::common::allocate_inner
. Incorrect behavior in allocate_inner
may result in a SliceVec
with an increased capacity, even though the underlying memory has not actually been expanded. This mismatch between SliceVec.capacity
and the actual reserved memory can lead to a heap buffer overflow.
-
The safe API arenavec::common::SliceVec::split_off
can duplicate the ownership of the elements in self
(of type SliceVec
) if they implement the Drop
trait. Specifically, when at == 0
, the method returns a new SliceVec
with the same length as self
. Since both self
and the returned object point to the same heap memory, dropping one will deallocate the shared memory. When the other is subsequently dropped, it will attempt to free the same memory again, resulting in a double free violation.
Advisory available under CC0-1.0
license.