Skip to content

RUSTSEC-2023-0045: memoffset allows reading uninitialized memory #2514

Open
@github-actions

Description

@github-actions

memoffset allows reading uninitialized memory

Details
Status unsound
Package memoffset
Version 0.5.6
URL Gilnaa/memoffset#24
Date 2023-06-21

memoffset allows attempt of reading data from address 0 with arbitrary type. This behavior is an undefined behavior because address 0 to std::mem::size_of<T> may not have valid bit-pattern with T. Old implementation dereferences uninitialized memory obtained from std::mem::align_of. Older implementation prior to it allows using uninitialized data obtained from std::mem::uninitialized with arbitrary type then compute offset by taking the address of field-projection. This may also result in an undefined behavior for "father" that includes (directly or transitively) type that does not allow to be uninitialized.

This flaw was corrected by using std::ptr::addr_of in <Gilnaa/memoffset#50>.

See advisory page for additional details.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        No participants

        Issue actions

          RUSTSEC-2023-0045: memoffset allows reading uninitialized memory · Issue #2514 · witnet/witnet-rust