-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap buffer overflow in read_to_end_with_reservation()
#80894
Comments
This is definitely broken - nice find. A simple fix would be to just add an rust/library/std/src/io/mod.rs Lines 302 to 306 in c97f11a
You can still get weird behavior in read_to_end_with_reservation, but it should be memory safe and it seems best to avoid a bunch of extra logic in the main loop. |
It looks like the bug was introduced in ecbb896. |
Assigning |
Fix handling of malicious Readers in read_to_end A malicious `Read` impl could return overly large values from `read`, which would result in the guard's drop impl setting the buffer's length to greater than its capacity! ~~To fix this, the drop impl now uses the safe `truncate` function instead of `set_len` which ensures that this will not happen. The result of calling the function will be nonsensical, but that's fine given the contract violation of the `Read` impl.~~ ~~The `Guard` type is also used by `append_to_string` which does not pass untrusted values into the length field, so I've copied the guard type into each function and only modified the one used by `read_to_end`. We could just keep a single one and modify it, but it seems a bit cleaner to keep the guard code close to the functions and related specifically to them.~~ To fix this, we now assert that the returned length is not larger than the buffer passed to the method. For reference, this bug has been present for ~2.5 years since 1.20: rust-lang@ecbb896. Closes rust-lang#80894.
rust/library/std/src/io/mod.rs
Lines 358 to 403 in c97f11a
At line 393, the guard object's
.len
field is incremented by the value returned from a read implementation. If a questionableRead
returns a value larger than the buffer size, it will take that value and set the length of the vector over the boundary.This bug is reachable from
Read::read_to_end()
andRead::read_to_string()
.Here is a playground link that demonstrates the bug. It segfaults with
double free or corruption (out)
.The text was updated successfully, but these errors were encountered: