From 1ad495b622b44808198e9474b69cb88b59acf7b5 Mon Sep 17 00:00:00 2001 From: shinmao Date: Wed, 6 Sep 2023 23:15:42 -0400 Subject: [PATCH 01/13] report unsound issues in multiple packages --- crates/crayon/RUSTSEC-0000-0000.md | 15 ++++++++++++ crates/data-buffer/RUSTSEC-0000-0000.md | 17 ++++++++++++++ crates/dtb/RUSTSEC-0000-0000.md | 23 +++++++++++++++++++ crates/endian-type-rs/RUSTSEC-0000-0000.md | 19 +++++++++++++++ crates/granne/RUSTSEC-0000-0000.md | 15 ++++++++++++ crates/hash-rs/RUSTSEC-0000-0000.md | 20 ++++++++++++++++ crates/mpack/RUSTSEC-0000-0000.md | 15 ++++++++++++ crates/pipe-channel/RUSTSEC-0000-0000.md | 15 ++++++++++++ crates/radixt/RUSTSEC-0000-0000.md | 15 ++++++++++++ crates/rafx-base/RUSTSEC-0000-0000.md | 17 ++++++++++++++ crates/rendy/RUSTSEC-0000-0000.md | 15 ++++++++++++ crates/runes/RUSTSEC-0000-0000.md | 15 ++++++++++++ crates/skyline/RUSTSEC-0000-0000.md | 14 +++++++++++ crates/unicode_converter/RUSTSEC-0000-0000.md | 16 +++++++++++++ 14 files changed, 231 insertions(+) create mode 100644 crates/crayon/RUSTSEC-0000-0000.md create mode 100644 crates/data-buffer/RUSTSEC-0000-0000.md create mode 100644 crates/dtb/RUSTSEC-0000-0000.md create mode 100644 crates/endian-type-rs/RUSTSEC-0000-0000.md create mode 100644 crates/granne/RUSTSEC-0000-0000.md create mode 100644 crates/hash-rs/RUSTSEC-0000-0000.md create mode 100644 crates/mpack/RUSTSEC-0000-0000.md create mode 100644 crates/pipe-channel/RUSTSEC-0000-0000.md create mode 100644 crates/radixt/RUSTSEC-0000-0000.md create mode 100644 crates/rafx-base/RUSTSEC-0000-0000.md create mode 100644 crates/rendy/RUSTSEC-0000-0000.md create mode 100644 crates/runes/RUSTSEC-0000-0000.md create mode 100644 crates/skyline/RUSTSEC-0000-0000.md create mode 100644 crates/unicode_converter/RUSTSEC-0000-0000.md diff --git a/crates/crayon/RUSTSEC-0000-0000.md b/crates/crayon/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..34ba274d0 --- /dev/null +++ b/crates/crayon/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "crayon" +date = "2023-09-06" +url = "https://github.com/shawnscode/crayon/issues/108" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Uninitialized memory exposure in several safe functions +The safe functions `DataBuffer::extend`, `DataBuffer::extend_from_slice`, and `video::assets::mesh::IndexFormat::encode` all allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee and expose the uninitialized memory. \ No newline at end of file diff --git a/crates/data-buffer/RUSTSEC-0000-0000.md b/crates/data-buffer/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..7f5006a07 --- /dev/null +++ b/crates/data-buffer/RUSTSEC-0000-0000.md @@ -0,0 +1,17 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "data-buffer" +date = "2023-09-06" +url = "https://github.com/elrnv/buffer/issues/2" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Allows uninitialized memory exposure in safe function +The safe function `push` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory. + +Note: The crate is not maintained anymore. \ No newline at end of file diff --git a/crates/dtb/RUSTSEC-0000-0000.md b/crates/dtb/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..cfd59782c --- /dev/null +++ b/crates/dtb/RUSTSEC-0000-0000.md @@ -0,0 +1,23 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "dtb" +date = "2023-08-11" +url = "https://github.com/ababo/dtb/issues/11" +informational = "unsound" +keywords = ["alignment"] +functions = { + "dtb::struct_item::transmute_buf" = ["<= 0.2.0"], + "dtb::struct_item::value_u32_list" = [<= 0.2.0], + "dtb::reader::next_item" = [<= 0.2.0], + "dtb::reader::read_property" = [<= 0.2.0], + "dtb::reader::get_header" = [<= 0.2.0], + "dtb::writer::get_reserved_mem" = [<= 0.2.0], +} + +[versions] +patched = [] +``` + +# Unsound implementation in several functions +In function `transmute_buf`, it casted an immutable pointer to mutable pointer leading to undefined behavior. In functions `value_u32_list`, `next_item`, `read_property`, `get_header`, `get_reserved_mem`, they all created misaligned pointer by casting and deref the resulted pointers. \ No newline at end of file diff --git a/crates/endian-type-rs/RUSTSEC-0000-0000.md b/crates/endian-type-rs/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..1409509bf --- /dev/null +++ b/crates/endian-type-rs/RUSTSEC-0000-0000.md @@ -0,0 +1,19 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "endian-type-rs" +date = "2023-09-04" +url = "https://gitlab.com/ertos/endian-type-rs/-/issues/1" +informational = "unsound" +keywords = ["alignment", "type-confusion"] +functions = { + "BigEndian::::from_bytes" = ["<= 0.1.4"], + "LittleEndian::::from_bytes" = [<= 0.1.4], +} + +[versions] +patched = [] +``` + +# Unsound implementation in `from_bytes` +The safe function allows `u8` byte slice to cast to arbitrary types. If the arbitrary type is the type aligned to larger bytes such as `u16`, it could create a misaligned pointer and dereference in the function. If the arbitrary type is `bool` which only allows 0/1 as bit patterns, then the function can create an invalid type and leads to undefined behavior \ No newline at end of file diff --git a/crates/granne/RUSTSEC-0000-0000.md b/crates/granne/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..5abd7051f --- /dev/null +++ b/crates/granne/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "granne" +date = "2023-09-03" +url = "https://github.com/granne/granne/issues/25" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Allows accessing arbitrary `struct` as bytes +The safe function `write_as_bytes` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `slice::from_raw_parts` and expose the uninitialized memory. \ No newline at end of file diff --git a/crates/hash-rs/RUSTSEC-0000-0000.md b/crates/hash-rs/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..c9b88e215 --- /dev/null +++ b/crates/hash-rs/RUSTSEC-0000-0000.md @@ -0,0 +1,20 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "hash-rs" +date = "2023-08-11" +url = "https://github.com/asukharev/hash-rs/issues/2" +informational = "unsound" +keywords = ["alignment"] +functions = { + "hash-rs::sha1::from" = ["<= 0.0.2"], + "hash-rs::sha3::from" = ["<= 0.0.2"], + "hash-rs::sha3::xor_with" = ["<= 0.0.2"], +} + +[versions] +patched = [] +``` + +# Unsound implementation to misaligned pointer dereference +In three affected functions, they all casted the type aligned to 1 byte to larger aligned type, and deref the misaligned pointers to return them. Misaligned pointer dereference would lead to undefined behavior. \ No newline at end of file diff --git a/crates/mpack/RUSTSEC-0000-0000.md b/crates/mpack/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..bb0ab7fbe --- /dev/null +++ b/crates/mpack/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "mpack" +date = "2023-09-06" +url = "https://github.com/dradtke/mpack/issues/2" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Allows uninitialized memory exposure in safe function +The safe function `write_ext` allows users to write arbitrary types as bytes into buffer. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory. \ No newline at end of file diff --git a/crates/pipe-channel/RUSTSEC-0000-0000.md b/crates/pipe-channel/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..f1cf71e3d --- /dev/null +++ b/crates/pipe-channel/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "pipe-channel" +date = "2023-09-06" +url = "https://github.com/bugaevc/pipe-channel/issues/4" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Allows accessing uninitialized memory in `send` and `recv` +The safe function `send` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory. In the safe function `recv`, `uninit()` is called on `MaybeUninit` before initialization. In this case, uninitialized memory could be exposed to `slice::from_raw_parts_mut()`. \ No newline at end of file diff --git a/crates/radixt/RUSTSEC-0000-0000.md b/crates/radixt/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..b509306e3 --- /dev/null +++ b/crates/radixt/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "radixt" +date = "2023-09-06" +url = "https://github.com/marekgalovic/radixt/issues/1" +informational = "unsound" +keywords = ["misalignment"] + +[versions] +patched = [] +``` + +# Multiple misaligned pointer dereference in safe functions +There are several safe functions in the crate made a misaligned pointer dereference and lead to undefined behavior. Simple `cargo test` could reproduce the issue. \ No newline at end of file diff --git a/crates/rafx-base/RUSTSEC-0000-0000.md b/crates/rafx-base/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..a7aa71635 --- /dev/null +++ b/crates/rafx-base/RUSTSEC-0000-0000.md @@ -0,0 +1,17 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "rafx-base" +date = "2023-09-06" +url = "https://github.com/aclysma/rafx/issues/255" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Allows uninitialized memory exposure in safe function +The safe function `memory::any_as_bytes` and `memory::any_slice_as_bytes` both allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory. + +Note: Even though the author of the crate claimed that "this project does not follow typical guidance for the usage of unsafe". Based on the violation of office rust safety, we still send the report as a warning. \ No newline at end of file diff --git a/crates/rendy/RUSTSEC-0000-0000.md b/crates/rendy/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..df8eff6c3 --- /dev/null +++ b/crates/rendy/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "rendy" +date = "2023-09-06" +url = "https://github.com/amethyst/rendy/issues/328" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Allows uninitialized memory exposure in safe function +The safe function `cast_slice` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee and expose the uninitialized memory. \ No newline at end of file diff --git a/crates/runes/RUSTSEC-0000-0000.md b/crates/runes/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..7ecb1e445 --- /dev/null +++ b/crates/runes/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = ""runes +date = "2023-09-06" +url = "https://github.com/Determinant/runes/issues/2" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Allows uninitialized memory exposure in safe function +The safe functions `load_prefix` and `save_prefix` both allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory. \ No newline at end of file diff --git a/crates/skyline/RUSTSEC-0000-0000.md b/crates/skyline/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..b497aae40 --- /dev/null +++ b/crates/skyline/RUSTSEC-0000-0000.md @@ -0,0 +1,14 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "skyline" +date = "2023-09-03" +informational = "unsound" +url = "https://github.com/ultimate-research/skyline-rs/issues/32" + +[versions] +patched = [] +``` + +# `hex_dump_ptr` allows uninitialized memory exposure +The function allows arbitrary types to be cast to `u8` type. If the user-provided type contains padding bytes, then dereference the resulting type would cause to undefined behavior. \ No newline at end of file diff --git a/crates/unicode_converter/RUSTSEC-0000-0000.md b/crates/unicode_converter/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..507874cd0 --- /dev/null +++ b/crates/unicode_converter/RUSTSEC-0000-0000.md @@ -0,0 +1,16 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "unicode_converter" +date = "2023-08-11" +url = "https://github.com/Arkaeriit/unicode_converter/issues/1" +informational = "unsound" +keywords = ["alignment"] +functions = { "unicode_converter::endian_aware_byte_streamer::conv_to_u64" = ["< 0.1.2"] } + +[versions] +patched = [">= 0.1.2"] +``` + +# Unsound implementation of `conv_to_u64` +The function casted arbitrary type to `u64` and deref the misaligned pointer. Misaligned pointer dereference would lead to undefined behavior in safe function. \ No newline at end of file From 41d357768b04608364f4d061f6c978be0aeaf727 Mon Sep 17 00:00:00 2001 From: shinmao Date: Wed, 6 Sep 2023 23:28:36 -0400 Subject: [PATCH 02/13] update reported issues to multiple packages --- crates/dtb/RUSTSEC-0000-0000.md | 10 +++++----- crates/endian-type-rs/RUSTSEC-0000-0000.md | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crates/dtb/RUSTSEC-0000-0000.md b/crates/dtb/RUSTSEC-0000-0000.md index cfd59782c..8896cd902 100644 --- a/crates/dtb/RUSTSEC-0000-0000.md +++ b/crates/dtb/RUSTSEC-0000-0000.md @@ -8,11 +8,11 @@ informational = "unsound" keywords = ["alignment"] functions = { "dtb::struct_item::transmute_buf" = ["<= 0.2.0"], - "dtb::struct_item::value_u32_list" = [<= 0.2.0], - "dtb::reader::next_item" = [<= 0.2.0], - "dtb::reader::read_property" = [<= 0.2.0], - "dtb::reader::get_header" = [<= 0.2.0], - "dtb::writer::get_reserved_mem" = [<= 0.2.0], + "dtb::struct_item::value_u32_list" = ["<= 0.2.0"], + "dtb::reader::next_item" = ["<= 0.2.0"], + "dtb::reader::read_property" = ["<= 0.2.0"], + "dtb::reader::get_header" = ["<= 0.2.0"], + "dtb::writer::get_reserved_mem" = ["<= 0.2.0"], } [versions] diff --git a/crates/endian-type-rs/RUSTSEC-0000-0000.md b/crates/endian-type-rs/RUSTSEC-0000-0000.md index 1409509bf..732b65414 100644 --- a/crates/endian-type-rs/RUSTSEC-0000-0000.md +++ b/crates/endian-type-rs/RUSTSEC-0000-0000.md @@ -8,7 +8,7 @@ informational = "unsound" keywords = ["alignment", "type-confusion"] functions = { "BigEndian::::from_bytes" = ["<= 0.1.4"], - "LittleEndian::::from_bytes" = [<= 0.1.4], + "LittleEndian::::from_bytes" = ["<= 0.1.4"], } [versions] From a6239ecc3c1068ec780b406fe2dcb5338047ac13 Mon Sep 17 00:00:00 2001 From: shinmao Date: Wed, 6 Sep 2023 23:45:12 -0400 Subject: [PATCH 03/13] update reported issues in multiple packages --- crates/dtb/RUSTSEC-0000-0000.md | 11 +++-------- crates/endian-type-rs/RUSTSEC-0000-0000.md | 7 +++---- crates/hash-rs/RUSTSEC-0000-0000.md | 8 +++----- crates/unicode_converter/RUSTSEC-0000-0000.md | 2 ++ 4 files changed, 11 insertions(+), 17 deletions(-) diff --git a/crates/dtb/RUSTSEC-0000-0000.md b/crates/dtb/RUSTSEC-0000-0000.md index 8896cd902..ea86ec57a 100644 --- a/crates/dtb/RUSTSEC-0000-0000.md +++ b/crates/dtb/RUSTSEC-0000-0000.md @@ -6,14 +6,9 @@ date = "2023-08-11" url = "https://github.com/ababo/dtb/issues/11" informational = "unsound" keywords = ["alignment"] -functions = { - "dtb::struct_item::transmute_buf" = ["<= 0.2.0"], - "dtb::struct_item::value_u32_list" = ["<= 0.2.0"], - "dtb::reader::next_item" = ["<= 0.2.0"], - "dtb::reader::read_property" = ["<= 0.2.0"], - "dtb::reader::get_header" = ["<= 0.2.0"], - "dtb::writer::get_reserved_mem" = ["<= 0.2.0"], -} + +[affected] +functions = { "dtb::struct_item::transmute_buf" = ["<= 0.2.0"], "dtb::struct_item::value_u32_list" = ["<= 0.2.0"], "dtb::reader::next_item" = ["<= 0.2.0"], "dtb::reader::read_property" = ["<= 0.2.0"], "dtb::reader::get_header" = ["<= 0.2.0"], "dtb::writer::get_reserved_mem" = ["<= 0.2.0"] } [versions] patched = [] diff --git a/crates/endian-type-rs/RUSTSEC-0000-0000.md b/crates/endian-type-rs/RUSTSEC-0000-0000.md index 732b65414..2190cee5b 100644 --- a/crates/endian-type-rs/RUSTSEC-0000-0000.md +++ b/crates/endian-type-rs/RUSTSEC-0000-0000.md @@ -6,10 +6,9 @@ date = "2023-09-04" url = "https://gitlab.com/ertos/endian-type-rs/-/issues/1" informational = "unsound" keywords = ["alignment", "type-confusion"] -functions = { - "BigEndian::::from_bytes" = ["<= 0.1.4"], - "LittleEndian::::from_bytes" = ["<= 0.1.4"], -} + +[affected] +functions = { "BigEndian::::from_bytes" = ["<= 0.1.4"], "LittleEndian::::from_bytes" = ["<= 0.1.4"] } [versions] patched = [] diff --git a/crates/hash-rs/RUSTSEC-0000-0000.md b/crates/hash-rs/RUSTSEC-0000-0000.md index c9b88e215..6e206476c 100644 --- a/crates/hash-rs/RUSTSEC-0000-0000.md +++ b/crates/hash-rs/RUSTSEC-0000-0000.md @@ -6,11 +6,9 @@ date = "2023-08-11" url = "https://github.com/asukharev/hash-rs/issues/2" informational = "unsound" keywords = ["alignment"] -functions = { - "hash-rs::sha1::from" = ["<= 0.0.2"], - "hash-rs::sha3::from" = ["<= 0.0.2"], - "hash-rs::sha3::xor_with" = ["<= 0.0.2"], -} + +[affected] +functions = { "hash-rs::sha1::from" = ["<= 0.0.2"], "hash-rs::sha3::from" = ["<= 0.0.2"], "hash-rs::sha3::xor_with" = ["<= 0.0.2"] } [versions] patched = [] diff --git a/crates/unicode_converter/RUSTSEC-0000-0000.md b/crates/unicode_converter/RUSTSEC-0000-0000.md index 507874cd0..052f6dfdf 100644 --- a/crates/unicode_converter/RUSTSEC-0000-0000.md +++ b/crates/unicode_converter/RUSTSEC-0000-0000.md @@ -6,6 +6,8 @@ date = "2023-08-11" url = "https://github.com/Arkaeriit/unicode_converter/issues/1" informational = "unsound" keywords = ["alignment"] + +[affected] functions = { "unicode_converter::endian_aware_byte_streamer::conv_to_u64" = ["< 0.1.2"] } [versions] From d92428a7b065a9ee799cf6e915f5e49817614bda Mon Sep 17 00:00:00 2001 From: shinmao Date: Wed, 6 Sep 2023 23:49:49 -0400 Subject: [PATCH 04/13] update reported issues for runes --- crates/runes/RUSTSEC-0000-0000.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crates/runes/RUSTSEC-0000-0000.md b/crates/runes/RUSTSEC-0000-0000.md index 7ecb1e445..aa0eb9021 100644 --- a/crates/runes/RUSTSEC-0000-0000.md +++ b/crates/runes/RUSTSEC-0000-0000.md @@ -1,7 +1,7 @@ ```toml [advisory] id = "RUSTSEC-0000-0000" -package = ""runes +package = "runes" date = "2023-09-06" url = "https://github.com/Determinant/runes/issues/2" informational = "unsound" @@ -12,4 +12,4 @@ patched = [] ``` # Allows uninitialized memory exposure in safe function -The safe functions `load_prefix` and `save_prefix` both allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory. \ No newline at end of file +The safe functions `load_prefix` and `save_prefix` both allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory. From 2722b15b4e15c8071f031a8eec661d7a5e236e6c Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 7 Sep 2023 00:00:02 -0400 Subject: [PATCH 05/13] update identifier in affected function of hash-rs --- crates/hash-rs/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/hash-rs/RUSTSEC-0000-0000.md b/crates/hash-rs/RUSTSEC-0000-0000.md index 6e206476c..4fb55ce8d 100644 --- a/crates/hash-rs/RUSTSEC-0000-0000.md +++ b/crates/hash-rs/RUSTSEC-0000-0000.md @@ -8,7 +8,7 @@ informational = "unsound" keywords = ["alignment"] [affected] -functions = { "hash-rs::sha1::from" = ["<= 0.0.2"], "hash-rs::sha3::from" = ["<= 0.0.2"], "hash-rs::sha3::xor_with" = ["<= 0.0.2"] } +functions = { "sha1::from" = ["<= 0.0.2"], "sha3::from" = ["<= 0.0.2"], "sha3::xor_with" = ["<= 0.0.2"] } [versions] patched = [] From 2cae11a927a6761109b6027f76e501f60490aa8c Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 7 Sep 2023 00:06:44 -0400 Subject: [PATCH 06/13] correct the syntax errors for two advisories --- crates/endian-type-rs/RUSTSEC-0000-0000.md | 5 +---- crates/hash-rs/RUSTSEC-0000-0000.md | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/crates/endian-type-rs/RUSTSEC-0000-0000.md b/crates/endian-type-rs/RUSTSEC-0000-0000.md index 2190cee5b..d4d126505 100644 --- a/crates/endian-type-rs/RUSTSEC-0000-0000.md +++ b/crates/endian-type-rs/RUSTSEC-0000-0000.md @@ -7,12 +7,9 @@ url = "https://gitlab.com/ertos/endian-type-rs/-/issues/1" informational = "unsound" keywords = ["alignment", "type-confusion"] -[affected] -functions = { "BigEndian::::from_bytes" = ["<= 0.1.4"], "LittleEndian::::from_bytes" = ["<= 0.1.4"] } - [versions] patched = [] ``` # Unsound implementation in `from_bytes` -The safe function allows `u8` byte slice to cast to arbitrary types. If the arbitrary type is the type aligned to larger bytes such as `u16`, it could create a misaligned pointer and dereference in the function. If the arbitrary type is `bool` which only allows 0/1 as bit patterns, then the function can create an invalid type and leads to undefined behavior \ No newline at end of file +The safe functions `from_bytes` implemented on `BigEndian` and `LittleEndian` allow `u8` byte slice to cast to arbitrary types. If the arbitrary type is the type aligned to larger bytes such as `u16`, it could create a misaligned pointer and dereference in the function. If the arbitrary type is `bool` which only allows 0/1 as bit patterns, then the function can create an invalid type and leads to undefined behavior \ No newline at end of file diff --git a/crates/hash-rs/RUSTSEC-0000-0000.md b/crates/hash-rs/RUSTSEC-0000-0000.md index 4fb55ce8d..18c4413b1 100644 --- a/crates/hash-rs/RUSTSEC-0000-0000.md +++ b/crates/hash-rs/RUSTSEC-0000-0000.md @@ -7,12 +7,9 @@ url = "https://github.com/asukharev/hash-rs/issues/2" informational = "unsound" keywords = ["alignment"] -[affected] -functions = { "sha1::from" = ["<= 0.0.2"], "sha3::from" = ["<= 0.0.2"], "sha3::xor_with" = ["<= 0.0.2"] } - [versions] patched = [] ``` # Unsound implementation to misaligned pointer dereference -In three affected functions, they all casted the type aligned to 1 byte to larger aligned type, and deref the misaligned pointers to return them. Misaligned pointer dereference would lead to undefined behavior. \ No newline at end of file +Three affected functions `sha1::from`, `sha3::from`, and `sha3::xor_with` all casted the type aligned to 1 byte to larger aligned type, and deref the misaligned pointers to return them. Misaligned pointer dereference would lead to undefined behavior. \ No newline at end of file From 95af265c528ab46669f992bfe38067b458e05001 Mon Sep 17 00:00:00 2001 From: shinmao Date: Mon, 11 Sep 2023 22:20:33 -0400 Subject: [PATCH 07/13] report unsound issues in multiple packages --- crates/xous/RUSTSEC-0000-0000.md | 15 +++++++++++++++ crates/zub/RUSTSEC-0000-0000.md | 15 +++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 crates/xous/RUSTSEC-0000-0000.md create mode 100644 crates/zub/RUSTSEC-0000-0000.md diff --git a/crates/xous/RUSTSEC-0000-0000.md b/crates/xous/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..6777164ed --- /dev/null +++ b/crates/xous/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "xous" +date = "2023-09-11" +url = "https://github.com/betrusted-io/xous-core/issues/410" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Unsound implementation of `MemoryRange::as_slice` and `as_slice_mut` +The implementation of functions cast the pointer of any bit patterns to arbitrary types, which can break the validity invariants for types. The functions should be declared as unsafe so that users should take care of the values when they create the pointer. At this timeline, authors of the package has submitted the PR for `unsafe` declaration and still under review. \ No newline at end of file diff --git a/crates/zub/RUSTSEC-0000-0000.md b/crates/zub/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..d3446afd8 --- /dev/null +++ b/crates/zub/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "zub" +date = "2023-09-11" +url = "https://github.com/nilq/zub-vm/issues/14" +informational = "unsound" +keywords = ["type-confusion"] + +[versions] +patched = [] +``` + +# Broken validity invariants in safe functions +The safe functions `from_float` and `from_tag` allow `f64` to transmute to arbitrary types which could be specified in `TaggedHandle`. The values of `f64` can be illegal for other types such as `bool`. It can break the validity invariants of types in the program. \ No newline at end of file From 03f3ceaa330ae17ef37418ba2e0859ba455a0f18 Mon Sep 17 00:00:00 2001 From: shinmao Date: Wed, 20 Sep 2023 09:59:01 -0400 Subject: [PATCH 08/13] update unsound issue for libafl --- crates/libafl/RUSTSEC-0000-0000.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 crates/libafl/RUSTSEC-0000-0000.md diff --git a/crates/libafl/RUSTSEC-0000-0000.md b/crates/libafl/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..004f41162 --- /dev/null +++ b/crates/libafl/RUSTSEC-0000-0000.md @@ -0,0 +1,17 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "libafl" +date = "2023-09-20" +url = "https://github.com/AFLplusplus/LibAFL/issues/1526" +keywords = ["alignment"] + +[versions] +patched = [] +``` + +# Create slice from misaligned pointer + +In the safe function `post_exec`, the u8 raw pointer was cast to u16 pointer and passed to `core::slice::from_raw_parts_mut` which requires the pointer to be aligned. The unsound implementation could lead to undefined behavior. + +Note: The issue has been approved and fixed by authors. The patched version could be released after the pull request got reviewed. \ No newline at end of file From 9041797eb48dd655d8a2b7a66076cc8088cdfb8e Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 28 Sep 2023 10:25:30 -0400 Subject: [PATCH 09/13] add unsoundness issue in fyrox-core --- crates/fyrox-core/RUSTSEC-0000-0000.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 crates/fyrox-core/RUSTSEC-0000-0000.md diff --git a/crates/fyrox-core/RUSTSEC-0000-0000.md b/crates/fyrox-core/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..29b691c7a --- /dev/null +++ b/crates/fyrox-core/RUSTSEC-0000-0000.md @@ -0,0 +1,14 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "fyrox-core" +date = "2023-09-28" +url = "https://github.com/FyroxEngine/Fyrox/issues/538" +categories = ["denial-of-service"] +keywords = ["alignment"] +``` + +# Unsound creation of `Vec` from misaligned pointer +In the function `visit`, the pointer to `u8` was allowed to cast to the pointer of any types implementing the trait `PodVecView`. However, the trait can't stop the misalignment issues from happening. The internal usage of library tried to cast the `u8` pointer to `f32` pointer which could lead to undefined behavior. + +The code has been patched and waited for release in latest version. From a8c35d240800ae6743449af5f4f9130c382cc42a Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 28 Sep 2023 10:31:37 -0400 Subject: [PATCH 10/13] add patched version to fyrox-core issue --- crates/fyrox-core/RUSTSEC-0000-0000.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crates/fyrox-core/RUSTSEC-0000-0000.md b/crates/fyrox-core/RUSTSEC-0000-0000.md index 29b691c7a..0e362caa6 100644 --- a/crates/fyrox-core/RUSTSEC-0000-0000.md +++ b/crates/fyrox-core/RUSTSEC-0000-0000.md @@ -6,6 +6,9 @@ date = "2023-09-28" url = "https://github.com/FyroxEngine/Fyrox/issues/538" categories = ["denial-of-service"] keywords = ["alignment"] + +[versions] +patched = [">= 0.25.0"] ``` # Unsound creation of `Vec` from misaligned pointer From 583c9abcd8f0cccab7f47fca5c2a5bea8da685c5 Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 28 Sep 2023 10:40:32 -0400 Subject: [PATCH 11/13] add unsoundness issue in gfx-backend-gl --- crates/gfx-backend-gl/RUSTSEC-0000-0000.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 crates/gfx-backend-gl/RUSTSEC-0000-0000.md diff --git a/crates/gfx-backend-gl/RUSTSEC-0000-0000.md b/crates/gfx-backend-gl/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..677990961 --- /dev/null +++ b/crates/gfx-backend-gl/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "gfx-backend-gl" +date = "2023-09-28" +url = "https://github.com/gfx-rs/gfx/issues/3795" +categories = ["denial-of-service"] +keywords = ["alignment"] + +[versions] +patched = [] +``` + +# Unsound creation of slice from misaligned pointer +In the function `get`, the pointer to `u8` was allowed to cast to arbitrary types including `f32/f64/i32` which could create a misaligned pointer. When users pass the pointer to `slice::from_raw_parts`, users should guarantee that the pointer is aligned by themselves; otherwise, it could lead to undefined behavior. From 11f2770d10ccc02ff75fe8b600a02d281fbddfed Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 28 Sep 2023 10:47:19 -0400 Subject: [PATCH 12/13] add unsound issue in spl-token-swap --- crates/spl-token-swap/RUSTSEC-0000-0000.md | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 crates/spl-token-swap/RUSTSEC-0000-0000.md diff --git a/crates/spl-token-swap/RUSTSEC-0000-0000.md b/crates/spl-token-swap/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..7cbdaa097 --- /dev/null +++ b/crates/spl-token-swap/RUSTSEC-0000-0000.md @@ -0,0 +1,37 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "spl-token-swap" +date = "2023-09-28" +url = "https://github.com/solana-labs/solana-program-library/issues/5243" +categories = ["denial-of-service"] +keywords = ["alignment"] + +[versions] +patched = [] +``` + +# Multiple unsoundness issues in public function `instruction::unpack` +The safe function `instruction::unpack` is unsound and accessible to users. + +The safe function allows misaligned pointer dereference: +```rs +use spl_token_swap::instruction::unpack; + +fn main() { + let a: [u8; 3] = [3; 3]; + let up = unpack::(&a).unwrap(); + println!("{}", up); +} +``` +which will lead to panic. + +The function also allows breaking validity invariant, e.g., +```rs +fn main() { + let a: [u8; 3] = [3; 3]; + let up = unpack::(&a).unwrap(); + println!("{}", up); +} +``` +Miri will show that the value of boolean is invalid here. From 717a2c77afd7696d3c62b4d5e305fbed957fcdb2 Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 26 Oct 2023 17:12:28 -0400 Subject: [PATCH 13/13] add unsound issue in uhyve --- crates/uhyve/RUSTSEC-0000-0000.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 crates/uhyve/RUSTSEC-0000-0000.md diff --git a/crates/uhyve/RUSTSEC-0000-0000.md b/crates/uhyve/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..315c3e37c --- /dev/null +++ b/crates/uhyve/RUSTSEC-0000-0000.md @@ -0,0 +1,17 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "uhyve" +date = "2023-10-26" +url = "https://github.com/hermit-os/uhyve/issues/571" +categories = ["denial-of-service"] +keywords = ["alignment"] + +[versions] +patched = [] +``` + +# Unsound implementation lead to misaligned pointer dereference +There are several functions having unsound implementation which can lead to misaligned pointer dereference. Among these functions, One (`ring_elem`) allows casting `u8` pointer to arbitrary type and dereference it, and other are implementing concrete type casting and lead to same issues. + +PoC can be found in link.