Skip to content

`array!` macro is unsound in presence of traits that implement methods it calls internally

Moderate severity GitHub Reviewed Published Jun 16, 2022 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

cargo array-macro (Rust)

Affected versions

>= 0.1.2, < 1.0.5

Patched versions

1.0.5

Description

Affected versions of this crate called some methods using auto-ref. The affected code looked like this.

let mut arr = $crate::__core::mem::MaybeUninit::uninit();
let mut vec = $crate::__ArrayVec::<T>::new(arr.as_mut_ptr() as *mut T);

In this case, the problem is that as_mut_ptr is a method of &mut MaybeUninit, not MaybeUninit. This made it possible for traits to hijack the method calls in order to cause unsoundness.

trait AsMutPtr<T> {
    fn as_mut_ptr(&self) -> *mut T;
}
impl<T> AsMutPtr<T> for std::mem::MaybeUninit<T> {
    fn as_mut_ptr(&self) -> *mut T {
        std::ptr::null_mut()
    }
}
array![0; 1];

The flaw was corrected by explicitly referencing variables in macro body in order to avoid auto-ref.

References

Published to the GitHub Advisory Database Jun 16, 2022
Reviewed Jun 16, 2022
Last updated Jun 13, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-83gg-pwxf-jr89

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.