{"id":"RUSTSEC-2021-0124","summary":"Data race when sending and receiving after closing a `oneshot` channel","details":"If a `tokio::sync::oneshot` channel is closed (via the\n[`oneshot::Receiver::close`] method), a data race may occur if the\n`oneshot::Sender::send` method is called while the corresponding\n`oneshot::Receiver` is `await`ed or calling `try_recv`.\n\nWhen these methods are called concurrently on a closed channel, the two halves\nof the channel can concurrently access a shared memory location, resulting in a\ndata race. This has been observed to [cause memory corruption][corruption].\n\nNote that the race only occurs when **both** halves of the channel are used\nafter the `Receiver` half has called `close`. Code where `close` is not used, or where the\n`Receiver` is not `await`ed and `try_recv` is not called after calling `close`,\nis not affected.\n\nSee [tokio#4225][issue] for more details.\n\n[corruption]: https://github.com/tokio-rs/tokio/issues/4225#issuecomment-967434847\n[issue]: https://github.com/tokio-rs/tokio/issues/4225\n[`oneshot::Receiver::close`]: https://docs.rs/tokio/1.14.0/tokio/sync/oneshot/struct.Receiver.html#method.close","aliases":["CVE-2021-45710","GHSA-fg7r-2g4j-5cgr"],"modified":"2023-11-08T04:07:23.239744Z","published":"2021-11-16T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/tokio"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0124.html"},{"type":"REPORT","url":"https://github.com/tokio-rs/tokio/issues/4225"}],"affected":[{"package":{"name":"tokio","ecosystem":"crates.io","purl":"pkg:cargo/tokio"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.1.14"},{"fixed":"1.8.4"},{"introduced":"1.9.0"},{"fixed":"1.13.1"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":["tokio::sync::oneshot::Receiver::close"],"os":[]},"affected_functions":null},"database_specific":{"categories":["memory-corruption","thread-safety"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0124.json","cvss":null,"informational":null}}],"schema_version":"1.7.3"}