Hi there!
We scanned the most popular libraries on crates.io and found some memory safety bugs in this library.
<jenkins::spooky_hash::SpookyHasher as std::hash::Hasher>::write
The method is a public safe entry (trait Hasher::write) taking attacker-controlled slice length. It uses unchecked arithmetic to compute new_length and uses new_length < SC_BUF_SIZE as the sole gate for an unsafe pointer offset and copy into a fixed-size array. In release, usize addition can wrap, so an attacker can make new_length appear small while self.m_remainder and/or bytes.len() are large, leading to offset(self.m_remainder) producing an out-of-bounds pointer and copy_nonoverlapping writing past m_data. This violates both no-overflow and in-bounds requirements for pointer arithmetic and memory copying.
PoC
use hashers::jenkins::spooky_hash::SpookyHasher;
use std::hash::Hasher;
fn main() {
let mut h = SpookyHasher::default();
for a in [1usize, 7, 15, 31, 63, 95, 127, 191, 255] {
for b in [1usize, 7, 15, 31, 63, 95, 127, 191, 255] {
let mut h = SpookyHasher::default();
let bytes1 = vec![0xAAu8; a];
let bytes2 = vec![0xBBu8; b];
h.write(&bytes1);
h.write(&bytes2);
let _ = h.finish();
}
}
}Miri Output
error: Undefined Behavior: constructing invalid value: encountered a dangling reference (going beyond the bounds of its allocation)
--> /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/hashers/1.0.1/hashers-1.0.1/src/jenkins/spooky_hash.rs:508:26
|
508 | unsafe { mem::transmute::<&[u8], &[Wrapping<u64>]>(&self.m_data) };
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
= note: BACKTRACE:
= note: inside `<hashers::jenkins::spooky_hash::SpookyHasher as std::hash::Hasher>::write` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/hashers/1.0.1/hashers-1.0.1/src/jenkins/spooky_hash.rs:508:26: 508:81
note: inside `main`
--> src/main.rs:24:13
|
24 | h.write(&bytes2);
| ^^^^^^^^^^^^^^^^
note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
error: aborting due to 1 previous error
We appreciate your work on this crate and hope this report helps improve its safety.
Hi there!
We scanned the most popular libraries on crates.io and found some memory safety bugs in this library.
<jenkins::spooky_hash::SpookyHasher as std::hash::Hasher>::write
The method is a public safe entry (trait
Hasher::write) taking attacker-controlled slice length. It uses unchecked arithmetic to computenew_lengthand usesnew_length < SC_BUF_SIZEas the sole gate for an unsafe pointer offset and copy into a fixed-size array. In release,usizeaddition can wrap, so an attacker can makenew_lengthappear small whileself.m_remainderand/orbytes.len()are large, leading tooffset(self.m_remainder)producing an out-of-bounds pointer andcopy_nonoverlappingwriting pastm_data. This violates both no-overflow and in-bounds requirements for pointer arithmetic and memory copying.PoC
Miri Output
We appreciate your work on this crate and hope this report helps improve its safety.