index() allows out-of-bound read and remove() has off-by-one error #2
Description
Hello, we have noticed a soundness issue and/or a potential security vulnerability in this crate while performing a security scan on crates.io.
Lines 160 to 165 in f1b18e1
Lines 82 to 103 in f1b18e1
Description
Slab::index() does not perform the boundary checking, which leads to out-of-bound read access. Slab::remove() copies an element from an invalid address due to off-by-one error, resulting in memory leakage and uninitialized memory drop.
Demonstration
- Crate: simple-slab
- Version: 0.3.2
- OS: Ubuntu 18.04.5 LTS
- Rust: rustc 1.46.0 (04488afe3 2020-08-24)
#![forbid(unsafe_code)]
mod boilerplate;
use simple_slab::Slab;
#[derive(Debug, PartialEq)]
struct DropDetector(u32);
impl Drop for DropDetector {
fn drop(&mut self) {
println!("Dropping {}", self.0);
}
}
fn main() {
boilerplate::init();
let mut slab = Slab::with_capacity(2);
slab.insert(DropDetector(123));
slab.insert(DropDetector(456));
// 1. No boundary checking leads to OOB read in `index()`
println!("{:?}", slab[20]);
// 2. Memory leak / uninitialized memory access in `remove()`
// element should be copied from `len - 1`, not `len`
assert_eq!(slab.remove(0).0, 123);
assert_eq!(slab[0].0, 456); // copied from uninitialized region `slab[2]`
}Output:
DropDetector(3090534592)
Dropping 123
thread 'main' panicked at 'assertion failed: `(left == right)`
left: `0`,
right: `456`', src/main.rs:49:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Dropping 0
Return Code: 101