Skip to content

A malicious coder can get unsound access to TCell or TLCell memory

High severity GitHub Reviewed Published Jun 17, 2022 to the GitHub Advisory Database • Updated Jan 12, 2023

Package

cargo qcell (Rust)

Affected versions

< 0.4.3

Patched versions

0.4.3

Description

This is impossible to do by accident, but by carefully constructing
marker types to be covariant, a malicious coder can cheat the
singleton check in TCellOwner and TLCellOwner, giving unsound
access to cell memory. This could take the form of getting two
mutable references to the same memory, or a mutable reference and an
immutable reference.

The fix is for the crate to internally force the marker type to be
invariant. This blocks the conversion between covariant types which
Rust normally allows.

References

Published to the GitHub Advisory Database Jun 17, 2022
Reviewed Jun 17, 2022
Last updated Jan 12, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-9c9f-7x9p-4wqp

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.