CVE-2021-28875: Heap buffer overflow in `read_to_end_with_reservation()` · Issue #80894 · rust-lang/rust

Comments

Qwaz added the C-bug

Category: This is a bug.

label

Jan 11, 2021

sfackler added I-unsound

Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness

T-libs-api

Relevant to the library API team, which will review and decide on the PR/issue.

labels

Jan 11, 2021

rustbot added the I-prioritize

Indicates that prioritization has been requested for this issue

label

Jan 11, 2021

camelid added T-libs

Relevant to the library team, which will review and decide on the PR/issue.

A-io

Area: std::io, std::fs, std::net and std::path

labels

Jan 11, 2021

Qwaz mentioned this issue

Jan 13, 2021

Qwaz added a commit to Qwaz/advisory-db that referenced this issue

Jan 13, 2021

m-ou-se added a commit to m-ou-se/rust that referenced this issue

Jan 14, 2021

Fix handling of malicious Readers in read_to_end

A malicious `Read` impl could return overly large values from `read`, which would result in the guard’s drop impl setting the buffer’s length to greater than its capacity! To fix this, the drop impl now uses the safe `truncate` function instead of `set_len` which ensures that this will not happen. The result of calling the function will be nonsensical, but that’s fine given the contract violation of the `Read` impl.

The `Guard` type is also used by `append_to_string` which does not pass untrusted values into the length field, so I’ve copied the guard type into each function and only modified the one used by `read_to_end`. We could just keep a single one and modify it, but it seems a bit cleaner to keep the guard code close to the functions and related specifically to them.

To fix this, we now assert that the returned length is not larger than the buffer passed to the method.

For reference, this bug has been present for ~2.5 years since 1.20: rust-lang@ecbb896.

Closes rust-lang#80894.