Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2023-0005: tokio::io::ReadHalf<T>::unsplit is Unsound #3085

Closed
github-actions bot opened this issue Apr 5, 2023 · 1 comment
Closed

RUSTSEC-2023-0005: tokio::io::ReadHalf<T>::unsplit is Unsound #3085

github-actions bot opened this issue Apr 5, 2023 · 1 comment
Assignees
@djmitche

Comments

@github-actions
Copy link

github-actions bot commented Apr 5, 2023

tokio::io::ReadHalf&lt;T&gt;::unsplit is Unsound

Details
Status unsound
Package tokio
Version 0.2.25
URL tokio-rs/tokio#5372
Date 2023-01-11

tokio::io::ReadHalf&lt;T&gt;::unsplit can violate the Pin contract

The soundness issue is described in the tokio/issues#5372

Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf)
is unusual, combined with the difficulty of making any arbitrary use-after-free
exploitable in Rust without doing a lot of careful alignment of data types in
the surrounding code.

The tokio feature io-util is also required to be enabled to trigger this
soundness issue.

Thanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e
and carllerche appropriately responding and fixing the soundness bug.

Tokio before 0.2.0 used futures 0.1 that did not have Pin, so it is not
affected by this issue.

See advisory page for additional details.
@djmitche djmitche self-assigned this Apr 8, 2023
@djmitche
Copy link
Collaborator

djmitche commented Apr 8, 2023

This requires a major bump of actix-web, which will take a little doing. WIP in https://github.com/djmitche/taskwarrior/pull/new/issue3085.

djmitche added a commit to djmitche/taskwarrior that referenced this issue Apr 8, 2023
@djmitche
Update Actix crates to latest versions
0056be5 
This avoids a vulnerability in tokio (GothenburgBitFactory#3085). The major version updates
of both actix-web and actix-rt required some signficant changes. Chief
among those, it turns out we were relying on actix-rt to run the
HttpServer in a different thread from the rest of the test, so that we
could talk to it from sync code in the test thread. This no longer
works, so the sync code is now run in a dedicated thread with
`actix_rt::task::spawn_blocking`.
@djmitche djmitche mentioned this issue Apr 8, 2023
Merged
djmitche added a commit that referenced this issue Apr 9, 2023
@djmitche
Update Actix crates to latest versions
52fdc6a 
This avoids a vulnerability in tokio (#3085). The major version updates
of both actix-web and actix-rt required some signficant changes. Chief
among those, it turns out we were relying on actix-rt to run the
HttpServer in a different thread from the rest of the test, so that we
could talk to it from sync code in the test thread. This no longer
works, so the sync code is now run in a dedicated thread with
`actix_rt::task::spawn_blocking`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@djmitche djmitche

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@djmitche