{"id":"RUSTSEC-2021-0095","summary":"`mopa` is technically unsound","details":"The `mopa` crate redefines the deprecated `TraitObject` struct from `core::raw` like so:\n```rust\n#[repr(C)]\n#[derive(Copy, Clone)]\n#[doc(hidden)]\npub struct TraitObject {\n    pub data: *mut (),\n    pub vtable: *mut (),\n}\n```\nThis is done to then transmute a reference to a trait object (`&dyn Trait` for any trait `Trait`) into this struct and retrieve the `data` field for the purpose of downcasting. This is used to implement `downcast_ref_unchecked()`, in terms of which `downcast_ref()` is also implemented. Same goes for mutable reference downcasting and `Box` downcasting.\n\nThe Rust compiler explicitly reserves the right to change the memory layout of `&dyn Trait` for any trait `Trait`. The worst case scenario is that it swaps `data` and `vtable`, making an executable location breach and compromisation of ASLR possible, since reads from `data` would read `vtable` instead. Likewise, arbitrary code execution is also theoretically possible if reads of `vtable` generated by the compiler read `data` instead.\n\nWhile, as of Rust 1.52, this unsound assumption still holds true, updating the compiler may silently create UB in a crate which previously compiled and run without issues, compromising the security of builds which are believed to be reproducible.\n\nA potential strategy to resolve this has already been suggested in an issue on the GitHub repository of the crate.","aliases":["CVE-2021-45695","GHSA-2gxj-qrp2-53jv","GHSA-8mv5-7x95-7wcf"],"modified":"2023-11-08T04:07:22.377459Z","published":"2021-06-01T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/mopa"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0095.html"},{"type":"REPORT","url":"https://github.com/chris-morgan/mopa/issues/13"}],"affected":[{"package":{"name":"mopa","ecosystem":"crates.io","purl":"pkg:cargo/mopa"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"informational":"unsound","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0095.json","cvss":null,"categories":["memory-corruption","memory-exposure","code-execution"]}}],"schema_version":"1.7.3"}