{ "schema_version": "1.4.0", "id": "GHSA-f85w-wvc7-crwc", "modified": "2023-01-20T21:54:22Z", "published": "2023-01-20T21:54:22Z", "aliases": [], "summary": "bumpalo has use-after-free due to a lifetime error in `Vec::into_iter()`", "details": "In affected versions of this crate, the lifetime of the iterator produced by `Vec::into_iter()` is not constrained to the lifetime of the `Bump` that allocated the vector's memory. Using the iterator after the `Bump` is dropped causes use-after-free accesses.\n\nThe following example demonstrates memory corruption arising from a misuse of this unsoundness.\n\n```rust\nuse bumpalo::{collections::Vec, Bump};\n\nfn main() {\n let bump = Bump::new();\n let mut vec = Vec::new_in(&bump);\n vec.extend([0x01u8; 32]);\n let into_iter = vec.into_iter();\n drop(bump);\n\n for _ in 0..100 {\n let reuse_bump = Bump::new();\n let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]);\n }\n\n for x in into_iter {\n print!(\"0x{:02x} \", x);\n }\n println!();\n}\n```\n\nThe issue was corrected in version 3.11.1 by adding a lifetime to the `IntoIter` type, and updating the signature of `Vec::into_iter()` to constrain this lifetime.\n", "severity": [], "affected": [ { "package": { "ecosystem": "crates.io", "name": "bumpalo" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.1.0" }, { "fixed": "3.11.1" } ] } ] } ], "references": [ { "type": "PACKAGE", "url": "https://github.com/fitzgen/bumpalo" }, { "type": "WEB", "url": "https://github.com/fitzgen/bumpalo/blob/main/CHANGELOG.md#3111" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0078.html" } ], "database_specific": { "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-01-20T21:54:22Z", "nvd_published_at": null } }