Soundness fixes for RUSTSEC-2020-0041 #15

kornelski · 2021-02-12T14:22:43Z

Fixes #11

@Qwaz @vorner do you want to have a look at it?

vorner · 2021-02-12T15:30:07Z

I'll go over it later today.

Any reason why the fix I've sent #13 isn't good?

vorner · 2021-02-12T16:54:41Z

After going through it quickly (not proving anything):

I think one of the branches in the insert_from shifts existing elements to the right, creates a „hole“ in the middle and fills it with the items from the iterator. If the iterator is too short, even being careful to update the length after the fact instead of before won't solve it, since the actual elements are not consecutive in the array.
It's not strictly for that CVE/Rustsec, but at least when I was writing Fix soundness issues in sized chunks and ringbuffer #13, I must have thought the ringbuffer has a very similar set of problems as the sized chunk. I'm not claiming to be sure to be correct in that feeling, but do you want to check that one too?

Qwaz

I believe insert_from() still have safety problems to be fixed.

src/sized_chunk/mod.rs

kornelski · 2021-02-13T23:46:38Z

I haven't noticed #13 before! That PR looks great, so I've merged that one instead. Thank you for your help.

kornelski added 5 commits February 12, 2021 14:16

Delete obsolete bench

569bd9e

Check capacity in unit() and pair()

e643c95

Check capacity in From

84bf7df

Panic-proof clone

6fbb9ae

Stop evil iterators breaking insert_from

cd92298

#11

Qwaz reviewed Feb 12, 2021

View reviewed changes

src/sized_chunk/mod.rs Show resolved Hide resolved

src/sized_chunk/mod.rs Show resolved Hide resolved

kornelski closed this Feb 13, 2021

kornelski deleted the rustsec-2020-0041 branch February 13, 2021 23:45

Provide feedback