-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use after free bug in lru crate #120
Comments
Thanks for quick fix @jeromefroe! I tested #121 and it indeed now gives compiler error for my test code: error[E0502]: cannot borrow `cache` as mutable because it is also borrowed as immutable
--> examples/use-after-free.rs:13:9
|
12 | for (key, value) in cache.into_iter() {
| -----------------
| |
| immutable borrow occurs here
| immutable borrow later used here
13 | cache.pop(key);
| ^^^^^^^^^^^^^^ mutable borrow occurs here I think this is worth reporting to RustSec after release. |
This was referenced Dec 21, 2021
Geal
added a commit
to apollographql/router
that referenced
this issue
Dec 22, 2021
LRU < 0.7.1 has a use after free bug jeromefroe/lru-rs#120 https://rustsec.org/advisories/RUSTSEC-2021-0130
Geal
added a commit
to apollographql/router
that referenced
this issue
Dec 22, 2021
LRU < 0.7.1 has a use after free bug jeromefroe/lru-rs#120 https://rustsec.org/advisories/RUSTSEC-2021-0130
geom3trik
added a commit
to geom3trik/femtovg
that referenced
this issue
Dec 27, 2021
The lru crate recently fixed a 'use after free bug' jeromefroe/lru-rs#120.
tronical
pushed a commit
to femtovg/femtovg
that referenced
this issue
Dec 28, 2021
The lru crate recently fixed a 'use after free bug' jeromefroe/lru-rs#120.
FintanH
added a commit
to FintanH/radicle-link
that referenced
this issue
Dec 29, 2021
The advisory script brought up a RUSTSEC error: --- error[A001]: Use after free in lru crate ┌─ /home/haptop/Developer/radicle-link/Cargo.lock:207:1 │ 207 │ lru 0.6.6 registry+https://github.com/rust-lang/crates.io-index │ --------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2021-0130 = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0130 = Lru crate has use after free vulnerability. Lru crate has two functions for getting an iterator. Both iterators give references to key and value. Calling specific functions, like pop(), will remove and free the value, and but it's still possible to access the reference of value which is already dropped causing use after free. = Announcement: jeromefroe/lru-rs#120 = Solution: Upgrade to >=0.7.1 --- This patch follows the recommended solution and pins the `lru` crate to 0.7.1. Signed-off-by: Fintan Halpenny <[email protected]>
QuentinPerez
pushed a commit
to QuentinPerez/async-graphql
that referenced
this issue
Dec 30, 2021
The advisory script brought up a RUSTSEC error: --- error[A001]: Use after free in lru crate ┌─ /home/haptop/Developer/radicle-link/Cargo.lock:207:1 │ 207 │ lru 0.6.6 registry+https://github.com/rust-lang/crates.io-index │ --------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2021-0130 = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0130 = Lru crate has use after free vulnerability. Lru crate has two functions for getting an iterator. Both iterators give references to key and value. Calling specific functions, like pop(), will remove and free the value, and but it's still possible to access the reference of value which is already dropped causing use after free. = Announcement: jeromefroe/lru-rs#120 = Solution: Upgrade to >=0.7.1 --- This patch follows the recommended solution and pins the `lru` crate to 0.7.1.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I think I discovered use after free bug in lru crate. Code looked complicated for my skill level so better give you what I have before spending more time trying to understand everything. I tested this with both release 0.6.6 and git master (commit 09f68c6, same as 0.7.0 release?).
Consider this piece of code:
This compiles fine, but when ran (in macOS) it crashed with segmentation fault:
The reason probably being that iterator gives us references to key and value, pop might remove and free the value, and then println tries to access the reference of value which is already dropped. However, I didn't take deep dive into lru source code yet so I'm not sure what pop actually does.
I ran this with Address Sanitizer (using git master) and got the following report:
The text was updated successfully, but these errors were encountered: