Listen to this Post
The vulnerability in `orx-pinned-vec` arises from the safe function `index_of_ptr` when it is called with an empty slice. The function attempts to locate a pointer within a slice by calculating the memory range from the slice’s start to its end. Specifically, the code performs a operation `ptr.add(slice.len() – 1)` to get a pointer to the last element. When `slice.len()` is zero, this calculation becomes 0 - 1, resulting in a signed integer underflow. This underflow produces a massive, invalid pointer offset. According to Rust’s strict safety guarantees, the mere creation of such a pointer, even if it is never dereferenced, constitutes immediate undefined behavior (UB). This UB can lead to program crashes, unpredictable execution, or compiler misoptimizations, violating the expected safety of the function’s API.
Platform: Rust Crate
Version: < 1.3.2
Vulnerability: Undefined Behavior
Severity: Low
date: 2024-10-21
Prediction: Patch expected 2024-10-28
What Undercode Say:
cargo audit cargo update orx-pinned-vec
// Code triggering the UB let empty_slice: &[bash] = &[]; let _ = orx_pinned_vec::index_of_ptr(empty_slice.as_ptr(), &empty_slice);
How Exploit:
Program Crash
Unexpected Behavior
Denial-of-Service
Protection from this CVE
Update to v1.3.2.
Avoid empty slices.
Use `cargo-audit`.
Impact:
Application Instability
Memory Corruption Potential
Safety Guarantee Violation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
