New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Rust enum repr qualification #177

Merged
merged 3 commits into from Sep 27, 2018

Conversation

Projects
None yet
3 participants
@9prady9
Copy link
Member

9prady9 commented Sep 27, 2018

Fixes #176

@9prady9 9prady9 merged commit a5256f3 into arrayfire:master Sep 27, 2018

@9prady9 9prady9 deleted the 9prady9:fix_enum_repr branch Sep 27, 2018

@Shnatsel

This comment has been minimized.

Copy link

Shnatsel commented Dec 8, 2018

Memory corruption is potentially a security issue. I've only skimmed the code, but it seems that a buffer overflow could happen because of incorrect in-memory representation of a field affecting the amount of memory to operate on.

Please add this issue to the Rust security advisory database so people could check if they're running a vulnerable version and upgrade.

@9prady9

This comment has been minimized.

Copy link
Member Author

9prady9 commented Dec 9, 2018

@Shnatsel Thank you for sharing it.

I am not quite sure how to present this as per rust-sec template because it doesn't ask at which verion of rust the issue starts to appear.

As per investigation reported on #176 , there doesn't seem to be any issue on crate versions 3.5.0 or earlier wtih Rust 1.27 or earlier. The issue appears from rust 1.28 and as per Rust's 1.28.0 release notes, it is the version where #[repr(transparent)] attribute was stabilized. I wonder if it has something to do with that. Additionally, this happened only with MSVC toolchain.

What do you think of this scenario ?

@Shnatsel

This comment has been minimized.

Copy link

Shnatsel commented Dec 9, 2018

Hmm, I'm not sure. @tarcieri what do you think?

@tarcieri

This comment has been minimized.

Copy link

tarcieri commented Dec 9, 2018

@9prady9 is correct we presently have no way to file advisories which only apply to certain Rust versions.

Failing that however, you can just file the advisory for all impacted versions of the crate, regardless of the Rust version. Users of Rust versions older than 1.28 may see a "false positive", but since it seems to impact all versions going forward I'm not sure how much that matters.

@9prady9

This comment has been minimized.

Copy link
Member Author

9prady9 commented Dec 12, 2018

So, what do you guys suggest ?

@tarcieri

This comment has been minimized.

Copy link

tarcieri commented Dec 12, 2018

File an advisory and include information about the impacted Rust version in the description. It may cause some false positives, but I think that's the best you can do for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment