Listen to this Post
When a `oneshot::Receiver` future is polled, it transitions the internal channel state to `RECEIVING` and stores a waker on the heap. If this `Receiver` is then dropped before being polled to completion (e.g., due to a timeout), its `Drop` implementation immediately swaps the channel state to `DISCONNECTED` and then attempts to read and drop its stored waker from the heap allocation. Concurrently, a `Sender` observing the `DISCONNECTED` state may immediately deallocate the shared channel memory. This creates a narrow race window where the Receiver‘s drop logic can read the waker pointer from memory that has already been freed by the Sender, resulting in a use-after-free. This vulnerability can be triggered by wrapping the receiver in a future that may cancel it, such as a timeout. The fix ensures proper state synchronization and ordering to prevent the `Sender` from deallocating memory before the `Receiver` has safely retrieved its waker.
Platform: Rust Crate
Version: <0.1.12
Vulnerability: Race Condition
Severity: Critical
date: Disclosed 2021
Prediction: Patched 2021-08-31
What Undercode Say:
cargo audit cargo tree | grep oneshot
// Example triggering code structure tokio::time::timeout(duration, rx).await;
How Exploit:
Attacker controls Sender timing to cause memory corruption during Receiver drop, potentially leading to arbitrary code execution.
Protection from this CVE:
Update to >=0.1.12.
Impact:
Use-After-Free, possible RCE.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

