Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseGHSA-rvr2-r3pv-5m4p
GHSA-rvr2-r3pv-5m4p:
Rust vulnerability analysis and mitigation
There is a race condition that can lead to a use-after-free if a oneshot::Receiver is polled but then dropped instead of polled to completion. This could happen if the receiver future was cancelled while receiving, for example by being wrapped in a timeout future or similar.
When the Receiver is polled (Future::poll) it writes a waker to the channel and sets it to the RECEIVING state. If the Receiver was then dropped (instead of polled to completion), the Drop implementation on Receiver unconditionally swapped the channel state to DISCONNECTED and only after doing so it read back its waker from the heap allocation and dropped it. The problem is that the DISCONNECTED state could be observed by the Sender, which would lead to it deallocating the channel heap memory. If the Sender manage to free the channel before the Receiver managed to proceed to dropping the waker, then the Receiver would read from the freed channel memory (Use After Free).
The fix was submitted in https://github.com/faern/oneshot/pull/74 and published as part of oneshot version 0.1.12.
Source: NVD
Related Rust vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management