You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed that in the EventList::From implementation for slices of types that implement Into<Event>:
let event = unsafe{ ptr::read(events.get_unchecked(idx))};
el.push(event.into());
}
It grabs the event using ptr::read duplicating the ownership and then calls event.into() which can potentially panic. This can lead to the event being double freed as shown in the example below:
#![forbid(unsafe_code)]use ocl::{Event,EventList};structMyIntoEventType(u32);implDropforMyIntoEventType{fndrop(&mutself){println!("Dropping the MyIntoEventType");}}implInto<Event>forMyIntoEventType{fninto(self) -> Event{panic!("Panicking in Into");}}fnmain(){let slice = [MyIntoEventType(1)];let event_list = EventList::from(slice);}
Output:
thread 'main' panicked at 'Panicking in Into', src/main.rs:28:9
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Dropping the MyIntoEventType
Dropping the MyIntoEventType
The text was updated successfully, but these errors were encountered:
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed that in the
EventList::Fromimplementation for slices of types that implementInto<Event>:ocl/ocl/src/standard/event.rs
Lines 1040 to 1043 in 0308686
It grabs the event using
ptr::readduplicating the ownership and then callsevent.into()which can potentially panic. This can lead to theeventbeing double freed as shown in the example below:Output:
The text was updated successfully, but these errors were encountered: