Add advisory for oneringbuf: vmem double-free reachable from safe Rust#2883
Conversation
The vmem-feature codepath bit-copies UnsafeSyncCell<T> into mmap and also lets the source Box drop, producing a double-free of every heap-owning T on later ring-buffer destruction. Reachable from safe Rust constructors.
|
Do you have approval from the maintainer to publish this? |
|
Fair point — I should have given the maintainer time to acknowledge first. A private disclosure email has been sent to Closing this advisory PR; will reopen once the maintainer has had a chance to respond (or after a 30-day attempt window if no response). Thanks for the disclosure-process correction. |
… advisory - oneringbuf RUSTSEC: set patched = ">= 0.7.1", add fix reference (PR rustsec#3), update Notes section - mutringbuf RUSTSEC: new parallel advisory for the archived predecessor (same bug, all versions yanked, migrate to oneringbuf >= 0.7.1) Reopens rustsec#2883 per maintainer acknowledgement on skilvingr/rust-oneringbuf#3 (2026-05-14).
|
Reopening per maintainer acknowledgement from the upstream author. Update:
Changes in this PR commit (
The two crates share the same code paths but live in two crate identities on crates.io, so two separate advisories with cross-references is the conventional path. Happy to merge them into a single advisory file with two |
| ## Affected paths | ||
|
|
||
| - `src/ring_buffer/wrappers/unsafe_sync_cell.rs:10-16` — `Drop for UnsafeSyncCell<T>` invokes `assume_init_drop`. | ||
| - `src/ring_buffer/storage/heap/mod.rs:43-52` — `vmem`-branch `new` calls `vmem_helper::new(&value)` and lets `value` drop at function return. | ||
| - `src/ring_buffer/storage/heap/vmem_helper.rs:62-126` — `ptr::copy_nonoverlapping` produces bitwise duplicates. | ||
| - `src/ring_buffer/storage/heap/mod.rs:20-41` — `Drop for HeapStorage<T>` calls `drop_in_place` over the slice before `munmap`. |
There was a problem hiding this comment.
I think this section is too detailed for this advisory.
| ## Related: `mutringbuf` (predecessor crate) | ||
|
|
…cted-paths and predecessor-crate sections Per code review on rustsec#2883: - Drop "## Affected paths" section: source-file line ranges (4 bullets) are too detailed for an advisory body — the upstream fix PR carries this information for anyone digging into the implementation. - Drop "## Related: `mutringbuf` (predecessor crate)" section: the parallel mutringbuf advisory stands on its own and the cross-link here is redundant. Body trimmed from 329 to 247 words. No content change to the technical description, trigger, or fix block.
|
Done — both sections removed per your review (commit
Trimmed from 329 to 247 words. No edits to the technical description, trigger, or fix block. Ready when you are. |
2 participants
Resubmission of the oneringbuf half of #2882, split per @djc's review and trimmed to be in line with the typical advisory-db body length.
vmem-feature double-free reachable from safe Rust viaVmemStorage::new(and everyFrom<_>/default(cap)constructor that funnels through it). The sourceBox<[UnsafeSyncCell<T>]>drops at the end ofnew, and the destructor'sdrop_in_placelater runsUnsafeSyncCell::dropa second time over the mmap'd bit-copy — deterministic double-free of every heap-owningT.The companion
unbounded-spscadvisory is filed separately as a sibling PR.Closes prior #2882 (superseded by this + the unbounded-spsc PR).