Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

std: Check for overflow in str::repeat #54399

Merged
merged 1 commit into from
Sep 21, 2018
Merged

Conversation

alexcrichton
Copy link
Member

This commit fixes a buffer overflow issue in the standard library
discovered by Scott McMurray where if a large number was passed to
str::repeat it may cause and out of bounds write to the buffer of a Vec.
This bug was accidentally introduced in #48657 when optimizing the
str::repeat function. The bug affects stable Rust releases 1.26.0 to
1.29.0. We plan on backporting this fix to create a 1.29.1 release, and
the 1.30.0 release onwards will include this fix.

The fix in this commit is to introduce a deterministic panic in the case of
capacity overflow. When repeating a slice where the resulting length is larger
than the address space, there’s no way it can succeed anyway!

The standard library and surrounding libraries were briefly checked to see if
there were othere instances of preallocating a vector with a calculation that
may overflow. No instances of this bug (out of bounds write due to a calculation
overflow) were found at this time.

Note that this commit is the first steps towards fixing this issue,
we'll be making a formal post to the Rust security list once these
commits have been merged.

This commit fixes a buffer overflow issue in the standard library
discovered by Scott McMurray where if a large number was passed to
`str::repeat` it may cause and out of bounds write to the buffer of a `Vec`.
This bug was accidentally introduced in rust-lang#48657 when optimizing the
`str::repeat` function. The bug affects stable Rust releases 1.26.0 to
1.29.0. We plan on backporting this fix to create a 1.29.1 release, and
the 1.30.0 release onwards will include this fix.

The fix in this commit is to introduce a deterministic panic in the case of
capacity overflow. When repeating a slice where the resulting length is larger
than the address space, there’s no way it can succeed anyway!

The standard library and surrounding libraries were briefly checked to see if
there were othere instances of preallocating a vector with a calculation that
may overflow. No instances of this bug (out of bounds write due to a calculation
overflow) were found at this time.

Note that this commit is the first steps towards fixing this issue,
we'll be making a formal post to the Rust security list once these
commits have been merged.
@rust-highfive
Copy link
Collaborator

r? @cramertj

(rust_highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Sep 20, 2018
@alexcrichton
Copy link
Member Author

This is accompanied with PRs to stable and beta as well, and a reminder that a more formal announcement will be coming soon once we sort out these prs.

@bors: p=98

@alexcrichton alexcrichton added beta-nominated Nominated for backporting to the compiler in the beta channel. beta-accepted Accepted for backporting to the compiler in the beta channel. stable-nominated Nominated for backporting to the compiler in the stable channel. stable-accepted Accepted for backporting to the compiler in the stable channel. labels Sep 20, 2018
@alexcrichton
Copy link
Member Author

r? @steveklabnik

@steveklabnik
Copy link
Member

@bors: r+

@bors
Copy link
Contributor

bors commented Sep 20, 2018

📌 Commit 8ac88d3 has been approved by steveklabnik

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Sep 20, 2018
@alexcrichton
Copy link
Member Author

@bors: p=15

(putting this behind the rollup)

@alexcrichton
Copy link
Member Author

@bors: p=3

@alexcrichton
Copy link
Member Author

@bors: p=1

@pietroalbini pietroalbini removed stable-nominated Nominated for backporting to the compiler in the stable channel. beta-nominated Nominated for backporting to the compiler in the beta channel. labels Sep 20, 2018
@alexcrichton
Copy link
Member Author

@bors: p=2

@bors
Copy link
Contributor

bors commented Sep 21, 2018

⌛ Testing commit 8ac88d3 with merge 1002e40...

bors added a commit that referenced this pull request Sep 21, 2018
std: Check for overflow in `str::repeat`

This commit fixes a buffer overflow issue in the standard library
discovered by Scott McMurray where if a large number was passed to
`str::repeat` it may cause and out of bounds write to the buffer of a `Vec`.
This bug was accidentally introduced in #48657 when optimizing the
`str::repeat` function. The bug affects stable Rust releases 1.26.0 to
1.29.0. We plan on backporting this fix to create a 1.29.1 release, and
the 1.30.0 release onwards will include this fix.

The fix in this commit is to introduce a deterministic panic in the case of
capacity overflow. When repeating a slice where the resulting length is larger
than the address space, there’s no way it can succeed anyway!

The standard library and surrounding libraries were briefly checked to see if
there were othere instances of preallocating a vector with a calculation that
may overflow. No instances of this bug (out of bounds write due to a calculation
overflow) were found at this time.

Note that this commit is the first steps towards fixing this issue,
we'll be making a formal post to the Rust security list once these
commits have been merged.
@bors
Copy link
Contributor

bors commented Sep 21, 2018

☀️ Test successful - status-appveyor, status-travis
Approved by: steveklabnik
Pushing 1002e40 to master...

@bors bors merged commit 8ac88d3 into rust-lang:master Sep 21, 2018
@alexcrichton alexcrichton deleted the fix-bug branch September 22, 2018 04:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
beta-accepted Accepted for backporting to the compiler in the beta channel. S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. stable-accepted Accepted for backporting to the compiler in the stable channel.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants