GHSA-8f24-6m29-wm2r: 
Rust vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the tracing Rust crate (versions >= 0.1.38, < 0.1.40), identified as GHSA-8f24-6m29-wm2r. The vulnerability was found in the implementation of the Instrumented::into_inner method, which contained undefined behavior due to incorrect use of std::mem::forget. The issue was discovered and disclosed in October 2023, with a fix released in version 0.1.40 (GitHub Advisory, RustSec Advisory).

The vulnerability stems from creating *const pointers to self, calling mem::forget(self), and then attempting to move values out of those pointers using std::ptr::read. According to the mem::forget documentation, while resources managed by the value will persist, pointer validity is not guaranteed. This could potentially result in a stack use-after-free if LLVM chooses to reuse self's stack slot for rebinding after the call to std::mem::forget. While this undefined behavior had not been observed to cause miscompilation as of Rust 1.73.0, any use of this method with the affected versions was considered unsound (GitHub Advisory).

The vulnerability could potentially lead to stack use-after-free conditions, though no actual exploits or miscompilations were observed in practice. The issue affects any applications using the Instrumented::into_inner method in the affected versions of the tracing crate (RustSec Advisory).

The vulnerability was fixed in tracing version 0.1.40 by replacing the use of std::mem::forget with std::mem::ManuallyDrop, ensuring that the stack slot is not reused and the pointers remain valid when they are read. All affected versions have been yanked from crates.io. Users should upgrade to version 0.1.40 or later to address this issue (GitHub Release).

The community response was swift and collaborative, with developers Taylor Cramer and Manish Goregaokar identifying and correcting the issue. The fix was implemented through PR #2765 and received positive acknowledgment from the community (GitHub PR).