Update Rust crate tokio to 1.25 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tokio (source)	dependencies	minor	1.22 -> 1.25

GitHub Vulnerability Alerts

CVE-2023-22466

Impact

When configuring a Windows named pipe server, setting pipe_mode will reset reject_remote_clients to false. If the application has previously configured reject_remote_clients to true, this effectively undoes the configuration. This also applies if reject_remote_clients is not explicitly set as this is the default configuration and is cleared by calling pipe_mode.

Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publically shared folder (SMB).

Patches

The following versions have been patched:

• 1.23.1
• 1.20.3
• 1.18.4

The fix will also be present in all releases starting from version 1.24.0.

Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

References

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients

GHSA-4q83-7cq4-p6wg

tokio::io::ReadHalf<T>::unsplit can violate the Pin contract

The soundness issue is described in the tokio/issues#​5372

Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf)
is unusual, combined with the difficulty of making any arbitrary use-after-free
exploitable in Rust without doing a lot of careful alignment of data types in
the surrounding code.

The tokio feature io-util is also required to be enabled to trigger this
soundness issue.

Thanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e
and carllerche appropriately responding and fixing the soundness bug.

Tokio before 0.2.0 used futures 0.1 that did not have Pin, so it is not
affected by this issue.

---

Release Notes

tokio-rs/tokio

v1.25.0: Tokio v1.25.0

1.25.0 (January 28, 2023)

Fixed

• rt: fix runtime metrics reporting (#​5330)

Added

• sync: add broadcast::Sender::len (#​5343)

Changed

• fs: increase maximum read buffer size to 2MiB (#​5397)

v1.24.1: Tokio v1.24.1

Compare Source

This release fixes a compilation failure on targets without AtomicU64 when using rustc older than 1.63. (#​5356)

v1.24.0: Tokio v1.24.0

Compare Source

The highlight of this release is the reduction of lock contention for all I/O operations (#​5300). We have received reports of up to a 20% improvement in CPU utilization and increased throughput for real-world I/O heavy applications.

Fixed

• rt: improve native AtomicU64 support detection (#​5284)

Added

• rt: add configuration option for max number of I/O events polled from the OS
  per tick (#​5186)
• rt: add an environment variable for configuring the default number of worker
  threads per runtime instance (#​4250)

Changed

• sync: reduce MPSC channel stack usage (#​5294)
• io: reduce lock contention in I/O operations (#​5300)
• fs: speed up read_dir() by chunking operations (#​5309)
• rt: use internal ThreadId implementation (#​5329)
• test: don't auto-advance time when a spawn_blocking task is running (#​5115)

v1.23.1: Tokio v1.23.1

Compare Source

This release forward ports changes from 1.18.4.

Fixed

• net: fix Windows named pipe server builder to maintain option when toggling
  pipe mode (#​5336).

v1.23.0: Tokio v1.23.0

Compare Source

Fixed

• net: fix Windows named pipe connect (#​5208)
• io: support vectored writes for ChildStdin (#​5216)
• io: fix async fn ready() false positive for OS-specific events (#​5231)

Changed

• runtime: yield_now defers task until after driver poll (#​5223)
• runtime: reduce amount of codegen needed per spawned task (#​5213)
• windows: replace winapi dependency with windows-sys (#​5204)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.