Skip to content

`tokio::io::ReadHalf<T>::unsplit` is Unsound

Low severity GitHub Reviewed Published Feb 4, 2023 to the GitHub Advisory Database

Package

cargo tokio (Rust)

Affected versions

>= 1.21.0, < 1.24.2
>= 1.19.0, < 1.20.4
>= 0.2.0, < 1.18.5

Patched versions

1.24.2
1.20.4
1.18.5

Description

tokio::io::ReadHalf<T>::unsplit can violate the Pin contract

The soundness issue is described in the tokio/issues#5372

Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf)
is unusual, combined with the difficulty of making any arbitrary use-after-free
exploitable in Rust without doing a lot of careful alignment of data types in
the surrounding code.

The tokio feature io-util is also required to be enabled to trigger this
soundness issue.

Thanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e
and carllerche appropriately responding and fixing the soundness bug.

Tokio before 0.2.0 used futures 0.1 that did not have Pin, so it is not
affected by this issue.

References

Published to the GitHub Advisory Database Feb 4, 2023
Reviewed Feb 4, 2023

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-4q83-7cq4-p6wg

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.