-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Send bound needed on T (for Send impl of Bucket2
)
#2
Comments
Good catch! And well done with your PoC example, I like it. I think the suggested solution is reasonable, please feel free to post a PR fix, otherwise, I will work on this and try to get the fix in before next week. |
Would you mind publishing a new release that includes the fix to crates.io? |
Thank you for the swift fix! Heads up: this issue has been submitted to the RustSec advisory database. It will be surfaced by tools such as cargo-audit or cargo-deny once merged. I see the issue was fixed in git, but there seems to be no release incorporating the change. Could you publish a new release to crates.io? Once it's published, please let me know and I'll include the fixed version in the advisory. |
@Chopinsky |
Sorry that I was quite busy recently. I will release the fix today. |
@Chopinsky |
yep, my bad, just published the new |
Hello 🦀 ,
while scanning crates.io, we (Rust group @sslab-gatech) have noticed a soundness/memory safety issue in this crate which allows safe Rust code to trigger undefined behavior.
Issue
Currently
Send
is implemented forBucket2<T>
even whenT
is not bound bySend
.This makes it possible to use
SyncPool<T>
to send a non-Send
object to other threads.Proof of Concept
Below is an example program that exhibits undefined behavior using the
syncpool
crate.There is a data race on the internal reference count of
Rc
, and the program either crashes at runtime(e.g. on Ubuntu:
Illegal Instruction (Core Dumped)
), or panics at the end of the program (indicating a memory leak).Such behavior can be observed when the program is compiled in Debug mode.
The example is a bit contrived, but it triggers undefined behavior in safe Rust code.
How to fix the issue
The solution is to add a
Send
bound onT
in theSend
impl forBucket2<T>
as below.I tested the above example using the modified version of the crate, and the compiler was able to successfully
revoke the program.
Thank you for checking out this issue 🦀
The text was updated successfully, but these errors were encountered: