{"id":"RUSTSEC-2020-0006","summary":"Flaw in `realloc` allows reading unknown memory","details":"When `realloc`ing, if we allocate new space, we need to copy the old\nallocation's bytes into the new space. There are `old_size` number of bytes in\nthe old allocation, but we were accidentally copying `new_size` number of bytes,\nwhich could lead to copying bytes into the realloc'd space from past the chunk\nthat we're bump allocating out of, from unknown memory.\n\nIf an attacker can cause `realloc`s, and can read the `realoc`ed data back,\nthis could allow them to read things from other regions of memory that they\nshouldn't be able to. For example, if some crypto keys happened to live in\nmemory right after a chunk we were bump allocating out of, this could allow\nthe attacker to read the crypto keys.\n\nBeyond just fixing the bug and adding a regression test, I've also taken two\nadditional steps:\n\n1. While we were already running the testsuite under `valgrind` in CI, because\n   `valgrind` exits with the same code that the program did, if there are\n   invalid reads/writes that happen not to trigger a segfault, the program can\n   still exit OK and we will be none the wiser. I've enabled the\n   `--error-exitcode=1` flag for `valgrind` in CI so that tests eagerly fail\n   in these scenarios.\n\n2. I've written a quickcheck test to exercise `realloc`. Without the bug fix\n   in this patch, this quickcheck immediately triggers invalid reads when run\n   under `valgrind`. We didn't previously have quickchecks that exercised\n   `realloc` because `realloc` isn't publicly exposed directly, and instead\n   can only be indirectly called. This new quickcheck test exercises `realloc`\n   via `bumpalo::collections::Vec::resize` and\n   `bumpalo::collections::Vec::shrink_to_fit` calls.","aliases":["CVE-2020-35861","GHSA-vqx7-pw4r-29rr"],"modified":"2023-11-08T04:03:36.095714Z","published":"2020-03-24T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/bumpalo"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2020-0006.html"},{"type":"REPORT","url":"https://github.com/fitzgen/bumpalo/issues/69"}],"affected":[{"package":{"name":"bumpalo","ecosystem":"crates.io","purl":"pkg:cargo/bumpalo"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.0.0"},{"fixed":"3.2.1"}]}],"ecosystem_specific":{"affects":{"functions":[],"arch":[],"os":[]},"affected_functions":null},"database_specific":{"informational":null,"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0006.json","categories":["memory-exposure"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}