Stream: wg-secure-code

Topic: is this exploitable?


Shnatsel (Oct 24 2018 at 18:40, on Zulip):

I've found an open bug in Rust stdlib dating back to 2017, marked "unsound": https://github.com/rust-lang/rust/issues/46775
This smells like a potential use-after-free to me, but I'm not sufficiently competent to verify that. I'd appreciate if someone more familiar with C and POSIX could take a look.

Alex Gaynor (Oct 24 2018 at 21:23, on Zulip):

There's definitely a UAF, and it doesn't even take a race condition. I just left a comment laying it out (hopefully I didn't screw something up!).

Alex Gaynor (Oct 24 2018 at 21:29, on Zulip):

Is there an easy way to get an ASAN stdlib?

Alex Gaynor (Oct 24 2018 at 21:31, on Zulip):

Eh, nevermind, didn't even need that.

Alex Gaynor (Oct 24 2018 at 21:37, on Zulip):

So, uh, what's the process for vulnerabilities in the stdlib? Should I stop posting stuff publicly?

Joshua Liebow-Feeser (Oct 24 2018 at 21:39, on Zulip):

I'd err on the side of caution and follow the policy until they tell you it's fine to keep working in the open: https://www.rust-lang.org/en-US/security.html

Zach Reizner (Oct 24 2018 at 21:41, on Zulip):

Weird that this bug report sat on the tracker for 10 months with no comment.

RalfJ (Oct 25 2018 at 06:34, on Zulip):

it was on my list to try and exploit, never got around to that though^^

RalfJ (Oct 25 2018 at 06:35, on Zulip):

and there is a related one, even older: https://github.com/rust-lang/rust/issues/39575

Alex Gaynor (Oct 25 2018 at 12:24, on Zulip):

As to "is it exploitable": you'd have to write a bunch of code that I think that would never exist in the real world, but with some heap grooming I'm sure you could turn this UAF into an arbitrary read/write and go from there.

RalfJ (Oct 25 2018 at 12:56, on Zulip):

by "exploit" I just meant "trigger UB", which you did. as far as I am concerned that's enough to make this critical, I don't care about going the extra mile of actually taking over a real program.

Alex Gaynor (Oct 25 2018 at 12:59, on Zulip):

FWIW, if this were a Firefox vulnerability (I'm on the Firefox security team and help with vulnerability triage), I'd probably mark it sec-moderate .

Alex Gaynor (Oct 25 2018 at 19:51, on Zulip):

PR is up: https://github.com/rust-lang/rust/pull/55359

Last update: Nov 11 2019 at 23:10UTC