Skip to content
This repository has been archived by the owner on Aug 16, 2021. It is now read-only.

Memory safe violation by abusing __private_get_type_id__ #336

Open
Qwaz opened this issue Nov 13, 2019 · 1 comment
Open

Memory safe violation by abusing __private_get_type_id__ #336

Qwaz opened this issue Nov 13, 2019 · 1 comment

Comments

@Qwaz
Copy link

Qwaz commented Nov 13, 2019

I noticed that it is possible to cause type confusion in downcast by manually implementing __private_get_type_id__.

https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=ad66fe439660eb8373996bfd6bd7a835

Although the name of the function clearly shows that it is a private API, I believe a safe Rust program should not violate the memory safety guaranteed by Rust type system.

@Qwaz
Copy link
Author

Qwaz commented Nov 13, 2019

Actually, the bug here looks very similar to what happened to the standard library:
https://rustsec.org/advisories/CVE-2019-12083.html

Qwaz added a commit to Qwaz/advisory-db that referenced this issue Jun 28, 2020
Qwaz added a commit to Qwaz/advisory-db that referenced this issue Jun 28, 2020
Shnatsel added a commit to rustsec/advisory-db that referenced this issue Aug 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant