RUSTSEC-2024-0018: Vulnerability in crayon

Rust Crates.io Security Advisory


History
Edit
JSON (OSV)

RUSTSEC-2024-0018

ObjectPool creates uninitialized memory when freeing objects


Reported
Issued

Package

crayon
(crates.io)

Type

Vulnerability

Categories
Keywords

#std–mem–uninitialized

#address-sanitizer

References
Patched

no patched versions

Unaffected
  • <0.6.0
Affected Functions
Version
crayon::utils::object_pool::ObjectPool::free
  • >=0.6.0

Description

As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its
type parameter when it attempts to free an object, and swaps it into the storage. This
causes instant undefined behavior due to reading the uninitialized memory in order to
write it to the pool storage.

Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:

use crayon::prelude::*;
application::oneshot().unwrap();
let mut params = MeshParams::default();
let mesh = video::create_mesh(params, None).unwrap();
// Deletes the mesh object.
video::delete_mesh(mesh); // <-- UB

The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.

Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1

Advisory available under CC0-1.0
license.

READ MORE