Use-after-free on panic in client code
Shnatsel opened this issue · comments
If the code that uses libflate panics, it may trigger a use-after-free in libflate code. Since use-after-free usually poses an arbitrary code execution vulnerability, I will relay further details privately to the maintainer.
Code compiled with panic=abort
is not affected. This can be used as a mitigation in the interim.
Fixed by #37. The problem is in this code:
Lines 1122 to 1129 in cbf1289
The mere existence of mem::uninitialized()
of a generic type is already undefined behavior. It's not clear how bad it is in practice exactly if this memory is never read. However, the definitely practical issue comes from the fact that a panic may happen on line 1127, before reaching mem::forget()
, because the underlying reader provided by the API client may panic. It the panic occurs, drop()
is called on the uninitialized memory, which is equivalent to a use-after-free bug, and use-after-free bugs are often exploitable.
please yank versions 0.1.14 to 0.1.24 inclusive from crates.io.
Done. Thank you for your contribution and advice.
Closing now that the fix is released, vulnerable versions are yanked and a security advisory is filed.