I've found an open bug in Rust stdlib dating back to 2017, marked "unsound": https://github.com/rust-lang/rust/issues/46775
This smells like a potential use-after-free to me, but I'm not sufficiently competent to verify that. I'd appreciate if someone more familiar with C and POSIX could take a look.
There's definitely a UAF, and it doesn't even take a race condition. I just left a comment laying it out (hopefully I didn't screw something up!).
Is there an easy way to get an ASAN stdlib?
Eh, nevermind, didn't even need that.
So, uh, what's the process for vulnerabilities in the stdlib? Should I stop posting stuff publicly?
I'd err on the side of caution and follow the policy until they tell you it's fine to keep working in the open: https://www.rust-lang.org/en-US/security.html
Weird that this bug report sat on the tracker for 10 months with no comment.
it was on my list to try and exploit, never got around to that though^^
and there is a related one, even older: https://github.com/rust-lang/rust/issues/39575
As to "is it exploitable": you'd have to write a bunch of code that I think that would never exist in the real world, but with some heap grooming I'm sure you could turn this UAF into an arbitrary read/write and go from there.
by "exploit" I just meant "trigger UB", which you did. as far as I am concerned that's enough to make this critical, I don't care about going the extra mile of actually taking over a real program.
FWIW, if this were a Firefox vulnerability (I'm on the Firefox security team and help with vulnerability triage), I'd probably mark it sec-moderate .