- Reported
-
- Issued
-
- Package
-
metacall
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#bad-free
- References
-
- Patched
-
no patched versions
Description
exception_struct is a local stack variable, but the code passes its address to the C language as &mut exception_struct as *mut _ as *mut c_void. Then, the returned MetaCallException value is stored here:
Ok(Self {
exception_struct: Arc::new(exception_struct),
value: exception_ptr,
leak: false,
})
Because leak is false, the destructor will run later. But the original exception pointer points to Rust stack memory.
Trigger
#[test]
fn exception_bad_free_safe_api() {
let original = metacall::MetaCallException::new(
"test",
"test",
"test",
1,
);
drop(original); // AddressSanitizer: bad-free
}
Impact
Every time the MetaCallException is created, when it is dropped, it leads to a bad-free. This can be triggered through the safe public API MetaCallException::new(), with no unsafe required from the caller.
Advisory available under CC0-1.0
license.