In affected versions, after a Report is constructed using wrap_err or wrap_err_with to attach a message of type D onto an error of type E, then using downcast to recover ownership of either the value of type D or the value of type E, one of two things can go wrong:
If downcasting to E, there remains a value of type D to be dropped. It is incorrectly "dropped" by running E's drop behavior, rather than D's. For example if D is &str and E is std::io::Error, there would be a call of std::io::Error::drop in which the reference received by the Drop impl does not refer to a valid value of type std::io::Error, but instead to &str.
If downcasting to D, there remains a value of type E to be dropped. When D and E do not happen to be the same size, E's drop behavior is incorrectly executed in the wrong location. The reference received by the Drop impl may point left or right of the real E value that is meant to be getting dropped.
In both cases, when the Report contains an error E that has nontrivial drop behavior, the most likely outcome is memory corruption.
When the Report contains an error E that has trivial drop behavior (for example a Utf8Error) but where D has nontrivial drop behavior (such as String), the most likely outcome is that downcasting to E would leak D.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
0.6.11
->0.6.12
GitHub Vulnerability Alerts
GHSA-4v52-7q2x-v4xj
In affected versions, after a
Report
is constructed usingwrap_err
orwrap_err_with
to attach a message of typeD
onto an error of typeE
, then usingdowncast
to recover ownership of either the value of typeD
or the value of typeE
, one of two things can go wrong:If downcasting to
E
, there remains a value of typeD
to be dropped. It is incorrectly "dropped" by runningE
's drop behavior, rather thanD
's. For example ifD
is&str
andE
isstd::io::Error
, there would be a call ofstd::io::Error::drop
in which the reference received by theDrop
impl does not refer to a valid value of typestd::io::Error
, but instead to&str
.If downcasting to
D
, there remains a value of typeE
to be dropped. WhenD
andE
do not happen to be the same size,E
's drop behavior is incorrectly executed in the wrong location. The reference received by theDrop
impl may point left or right of the realE
value that is meant to be getting dropped.In both cases, when the
Report
contains an errorE
that has nontrivial drop behavior, the most likely outcome is memory corruption.When the
Report
contains an errorE
that has trivial drop behavior (for example aUtf8Error
) but whereD
has nontrivial drop behavior (such asString
), the most likely outcome is that downcasting toE
would leakD
.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.