Skip to content

Unsound sending of non-Send types across threads in threadalone

Moderate severity GitHub Reviewed Published Jan 23, 2024 to the GitHub Advisory Database

Package

cargo threadalone (Rust)

Affected versions

< 0.2.1

Patched versions

0.2.1

Description

Affected versions can run the Drop impl of a non-Send type on a different
thread than it was created on.

The flaw occurs when a stderr write performed by the threadalone crate fails,
for example because stderr is redirected to a location on a filesystem that is
full, or because stderr is a pipe that has been closed by the reader.

Dropping a non-Send type on the wrong thread is unsound. If used with a type
such as a pthread-based MutexGuard, the consequence is undefined
behavior. If used with Rc, there would be a data race on the
reference count, which is likewise undefined behavior.

References

Published to the GitHub Advisory Database Jan 23, 2024
Reviewed Jan 23, 2024

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-w59h-378f-2frm

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.