Описание
crossbeam-channel Vulnerable to Double Free on Drop
The internal Channel type's Drop method has a race
which could, in some circumstances, lead to a double-free.
This could result in memory corruption.
Quoting from the upstream description in merge request #1187:
The problem lies in the fact that
dicard_all_messagescontained two paths that could lead tohead.blockbeing read but only one of them would swap the value. This meant thatdicard_all_messagescould end up observing a non-null block pointer (and therefore attempting to free it) without settinghead.blockto null. This would then lead toChannel::dropmaking a second attempt at dropping the same pointer.
The bug was introduced while fixing a memory leak, in upstream MR #1084, first published in 0.5.12.
The fix is in upstream MR #1187 and has been published in 0.5.15
Пакеты
crossbeam-channel
>= 0.5.11, < 0.5.15
0.5.15
Связанные уязвимости
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` ...
