rustsec · shinmao · Sep 7, 2023 · Sep 7, 2023 · Sep 7, 2023 · Sep 7, 2023
diff --git a/crates/crayon/RUSTSEC-0000-0000.md b/crates/crayon/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "crayon"
+date = "2023-09-06"
+url = "https://github.com/shawnscode/crayon/issues/108"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Uninitialized memory exposure in several safe functions
+The safe functions `DataBuffer::extend`, `DataBuffer::extend_from_slice`, and `video::assets::mesh::IndexFormat::encode` all allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee and expose the uninitialized memory.
diff --git a/crates/data-buffer/RUSTSEC-0000-0000.md b/crates/data-buffer/RUSTSEC-0000-0000.md
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "data-buffer"
+date = "2023-09-06"
+url = "https://github.com/elrnv/buffer/issues/2"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe function `push` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory.
+
+Note: The crate is not maintained anymore.
diff --git a/crates/dtb/RUSTSEC-0000-0000.md b/crates/dtb/RUSTSEC-0000-0000.md
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "dtb"
+date = "2023-08-11"
+url = "https://github.com/ababo/dtb/issues/11"
+informational = "unsound"
+keywords = ["alignment"]
+
+[affected]
+functions = { "dtb::struct_item::transmute_buf" = ["<= 0.2.0"], "dtb::struct_item::value_u32_list" = ["<= 0.2.0"], "dtb::reader::next_item" = ["<= 0.2.0"], "dtb::reader::read_property" = ["<= 0.2.0"], "dtb::reader::get_header" = ["<= 0.2.0"], "dtb::writer::get_reserved_mem" = ["<= 0.2.0"] }
+
+[versions]
+patched = []
+```
+
+# Unsound implementation in several functions
+In function `transmute_buf`, it casted an immutable pointer to mutable pointer leading to undefined behavior. In functions `value_u32_list`, `next_item`, `read_property`, `get_header`, `get_reserved_mem`, they all created misaligned pointer by casting and deref the resulted pointers.
diff --git a/crates/endian-type-rs/RUSTSEC-0000-0000.md b/crates/endian-type-rs/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "endian-type-rs"
+date = "2023-09-04"
+url = "https://gitlab.com/ertos/endian-type-rs/-/issues/1"
+informational = "unsound"
+keywords = ["alignment", "type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Unsound implementation in `from_bytes`
+The safe functions `from_bytes` implemented on `BigEndian` and `LittleEndian` allow `u8` byte slice to cast to arbitrary types. If the arbitrary type is the type aligned to larger bytes such as `u16`, it could create a misaligned pointer and dereference in the function. If the arbitrary type is `bool` which only allows 0/1 as bit patterns, then the function can create an invalid type and leads to undefined behavior
diff --git a/crates/granne/RUSTSEC-0000-0000.md b/crates/granne/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "granne"
+date = "2023-09-03"
+url = "https://github.com/granne/granne/issues/25"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows accessing arbitrary `struct` as bytes
+The safe function `write_as_bytes` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `slice::from_raw_parts` and expose the uninitialized memory.
diff --git a/crates/hash-rs/RUSTSEC-0000-0000.md b/crates/hash-rs/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hash-rs"
+date = "2023-08-11"
+url = "https://github.com/asukharev/hash-rs/issues/2"
+informational = "unsound"
+keywords = ["alignment"]
+
+[versions]
+patched = []
+```
+
+# Unsound implementation to misaligned pointer dereference
+Three affected functions `sha1::from`, `sha3::from`, and `sha3::xor_with` all casted the type aligned to 1 byte to larger aligned type, and deref the misaligned pointers to return them. Misaligned pointer dereference would lead to undefined behavior.
diff --git a/crates/mpack/RUSTSEC-0000-0000.md b/crates/mpack/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "mpack"
+date = "2023-09-06"
+url = "https://github.com/dradtke/mpack/issues/2"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe function `write_ext` allows users to write arbitrary types as bytes into buffer. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory.
diff --git a/crates/pipe-channel/RUSTSEC-0000-0000.md b/crates/pipe-channel/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "pipe-channel"
+date = "2023-09-06"
+url = "https://github.com/bugaevc/pipe-channel/issues/4"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows accessing uninitialized memory in `send` and `recv`
+The safe function `send` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory. In the safe function `recv`, `uninit()` is called on `MaybeUninit` before initialization. In this case, uninitialized memory could be exposed to `slice::from_raw_parts_mut()`.
diff --git a/crates/radixt/RUSTSEC-0000-0000.md b/crates/radixt/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "radixt"
+date = "2023-09-06"
+url = "https://github.com/marekgalovic/radixt/issues/1"
+informational = "unsound"
+keywords = ["misalignment"]
+
+[versions]
+patched = []
+```
+
+# Multiple misaligned pointer dereference in safe functions
+There are several safe functions in the crate made a misaligned pointer dereference and lead to undefined behavior. Simple `cargo test` could reproduce the issue.
diff --git a/crates/rafx-base/RUSTSEC-0000-0000.md b/crates/rafx-base/RUSTSEC-0000-0000.md
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rafx-base"
+date = "2023-09-06"
+url = "https://github.com/aclysma/rafx/issues/255"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe function `memory::any_as_bytes` and `memory::any_slice_as_bytes` both allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory.
+
+Note: Even though the author of the crate claimed that "this project does not follow typical guidance for the usage of unsafe". Based on the violation of office rust safety, we still send the report as a warning.
diff --git a/crates/rendy/RUSTSEC-0000-0000.md b/crates/rendy/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rendy"
+date = "2023-09-06"
+url = "https://github.com/amethyst/rendy/issues/328"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe function `cast_slice` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee and expose the uninitialized memory.
diff --git a/crates/runes/RUSTSEC-0000-0000.md b/crates/runes/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "runes"
+date = "2023-09-06"
+url = "https://github.com/Determinant/runes/issues/2"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe functions `load_prefix` and `save_prefix` both allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory.
diff --git a/crates/skyline/RUSTSEC-0000-0000.md b/crates/skyline/RUSTSEC-0000-0000.md
@@ -0,0 +1,14 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "skyline"
+date = "2023-09-03"
+informational = "unsound"
+url = "https://github.com/ultimate-research/skyline-rs/issues/32"
+
+[versions]
+patched = []
+```
+
+# `hex_dump_ptr` allows uninitialized memory exposure
+The function allows arbitrary types to be cast to `u8` type. If the user-provided type contains padding bytes, then dereference the resulting type would cause to undefined behavior.
diff --git a/crates/unicode_converter/RUSTSEC-0000-0000.md b/crates/unicode_converter/RUSTSEC-0000-0000.md
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "unicode_converter"
+date = "2023-08-11"
+url = "https://github.com/Arkaeriit/unicode_converter/issues/1"
+informational = "unsound"
+keywords = ["alignment"]
+
+[affected]
+functions = { "unicode_converter::endian_aware_byte_streamer::conv_to_u64" = ["< 0.1.2"] }
+
+[versions]
+patched = [">= 0.1.2"]
+```
+
+# Unsound implementation of `conv_to_u64`
+The function casted arbitrary type to `u64` and deref the misaligned pointer. Misaligned pointer dereference would lead to undefined behavior in safe function.