Описание
Use after free in nano_arena
Affected versions of this crate assumed that Borrow was guaranteed to return the same value on .borrow(). The borrowed index value was used to retrieve a mutable reference to a value.
If the Borrow implementation returned a different index, the split arena would allow retrieving the index as a mutable reference creating two mutable references to the same element. This violates Rust's aliasing rules and allows for memory safety issues such as writing out of bounds and use-after-frees.
The flaw was corrected in commit 6b83f9d by storing the .borrow() value in a temporary variable.
Пакеты
nano_arena
< 0.5.2
0.5.2
Связанные уязвимости
An issue was discovered in the nano_arena crate before 0.5.2 for Rust. There is an aliasing violation in split_at because two mutable references can exist for the same element, if Borrow<Idx> behaves in certain ways. This can have a resultant out-of-bounds write or use-after-free.