Skip to content

/ rust-smallvec

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

from_elem is unsound when clone can panic #101

Closed
mbrubeck opened this issue Jun 14, 2018 · 2 comments
Closed

from_elem is unsound when clone can panic #101

mbrubeck opened this issue Jun 14, 2018 · 2 comments
Assignees
@mbrubeck
Labels
bug

Comments

@mbrubeck
Copy link
Contributor

@mbrubeck mbrubeck commented Jun 14, 2018

If clone panics during SmallVec::from_elem then uninitialized memory is dropped. [Original report by dbaupp on Reddit.]

This bug was introduced by #93 which is not yet included in the latest published release (0.6.2).

The suggested solution is to use something like SetLenOnDrop to make sure the length is set correctly when destructors run, without inhibiting optimizations.
@mbrubeck mbrubeck added the bug label Jun 14, 2018
mbrubeck added a commit to mbrubeck/rust-smallvec that referenced this issue Jul 18, 2018
@mbrubeck
Make from_elem panic-safe
54bc182 
Fixes servo#101
@mbrubeck mbrubeck mentioned this issue Jul 18, 2018
Merged
@mbrubeck mbrubeck self-assigned this Jul 18, 2018
mbrubeck added a commit to mbrubeck/rust-smallvec that referenced this issue Jul 18, 2018
@mbrubeck
Make from_elem panic-safe
1f40252 
Fixes servo#101
bors-servo added a commit that referenced this issue Jul 19, 2018
@bors-servo
Auto merge of #103 - mbrubeck:panic, r=jdm
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
8fd2b9b 
Panic-safety fixes

* Make from_elem panic-safe.  Fixes #101.
* Make insert_many panic-safe.  Fixes #96.

r? @SimonSapin or @jdm.  cc @Vurich

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/rust-smallvec/103)
<!-- Reviewable:end -->
@Shnatsel Shnatsel mentioned this issue Jun 23, 2019
Open
0 of 9 tasks complete
@Phosphorus15
Copy link

@Phosphorus15 Phosphorus15 commented Jul 17, 2019

Dropping unintialized memory could be considered a vulnerability, which is equivalent to use after free. I suggest submitting a ticket to Rust security advisory database just like #96 do. @Shnatsel @mbrubeck
@Shnatsel
Copy link

@Shnatsel Shnatsel commented Jul 17, 2019

This bug never made it into a release. No dependencies were ever affected, so no need for an advisory.

We still have #156 outstanding though
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbrubeck mbrubeck

Labels
bug
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@mbrubeck @Shnatsel @Phosphorus15
You can’t perform that action at this time.