{"id":"RUSTSEC-2021-0013","summary":"Soundness issues in `raw-cpuid`","details":"## Undefined behavior in `as_string()` methods\n\n`VendorInfo::as_string()`, `SoCVendorBrand::as_string()`,\nand `ExtendedFunctionInfo::processor_brand_string()` construct byte slices\nusing `std::slice::from_raw_parts()`, with data coming from\n`#[repr(Rust)]` structs. This is always undefined behavior.\n\nSee https://github.com/gz/rust-cpuid/issues/40.\n\nThis flaw has been fixed in v9.0.0, by making the relevant structs\n`#[repr(C)]`.\n\n## `native_cpuid::cpuid_count()` is unsound\n\n`native_cpuid::cpuid_count()` exposes the unsafe `__cpuid_count()` intrinsic\nfrom `core::arch::x86` or `core::arch::x86_64` as a safe function, and uses\nit internally, without checking the\n[safety requirement](https://doc.rust-lang.org/core/arch/index.html#overview):\n\n\u003e The CPU the program is currently running on supports the function being\n\u003e called.\n\nCPUID is available in most, but not all, x86/x86_64 environments. The crate\ncompiles only on these architectures, so others are unaffected.\n\nThis issue is mitigated by the fact that affected programs are expected\nto crash deterministically every time.\n\nSee https://github.com/gz/rust-cpuid/issues/41.\n\nThe flaw has been fixed in v9.0.0, by intentionally breaking compilation\nwhen targeting SGX or 32-bit x86 without SSE. This covers all affected CPUs.","aliases":["CVE-2021-26306","CVE-2021-26307","GHSA-hvqc-pc78-x9wh","GHSA-jrf8-cmgg-gv2m"],"modified":"2023-11-08T04:05:20.849093Z","published":"2021-01-20T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/raw-cpuid"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0013.html"},{"type":"WEB","url":"https://github.com/RustSec/advisory-db/pull/614"}],"affected":[{"package":{"name":"raw-cpuid","ecosystem":"crates.io","purl":"pkg:cargo/raw-cpuid"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"9.0.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":[],"arch":["x86","x86_64"],"os":[]}},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0013.json","cvss":null,"categories":["memory-corruption","denial-of-service"]}}],"schema_version":"1.7.3"}