You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed that DeflateOutput's implementation of poll_read does the following:
This sets up uninitialized bytes in read_interm and then passes it to the user provided poll_read method. This allows invoking undefined behavior from safe Rust code, reading uninitialized memory.
This issue is described a bit in the documentation for Read:
It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit<T>) is not safe, and can lead to undefined behavior.
Here's an example that outputs uninitialized memory using this:
820: NO-TICKET: upgrade libp2p deflate r=Fraser999 a=Fraser999
This fixes security advisory on libp2p-deflate by upgrading the version of libp2p. See libp2p/rust-libp2p#1932.
Co-authored-by: Michał Papierski <michal@casperlabs.io>
Co-authored-by: Fraser Hutchison <fraser@casperlabs.io>
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed that
DeflateOutput
's implementation ofpoll_read
does the following:rust-libp2p/protocols/deflate/src/lib.rs
Lines 136 to 141 in 6400719
This sets up uninitialized bytes in
read_interm
and then passes it to the user providedpoll_read
method. This allows invoking undefined behavior from safe Rust code, reading uninitialized memory.This issue is described a bit in the documentation for
Read
:Here's an example that outputs uninitialized memory using this:
Click to expand
The text was updated successfully, but these errors were encountered: