Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2021-0124: Data race when sending and receiving after closing a oneshot channel #3581

Closed
github-actions bot opened this issue Nov 17, 2021 · 2 comments
Closed

RUSTSEC-2021-0124: Data race when sending and receiving after closing a oneshot channel #3581

github-actions bot opened this issue Nov 17, 2021 · 2 comments

Comments

@github-actions
Copy link

Data race when sending and receiving after closing a oneshot channel

Details
Package tokio
Version 0.2.25
URL tokio-rs/tokio#4225
Date 2021-11-16
Patched versions >=1.8.4, <1.9.0,>=1.13.1
Unaffected versions <0.1.14

If a tokio::sync::oneshot channel is closed (via the
oneshot::Receiver::close method), a data race may occur if the
oneshot::Sender::send method is called while the corresponding
oneshot::Receiver is awaited or calling try_recv.

When these methods are called concurrently on a closed channel, the two halves
of the channel can concurrently access a shared memory location, resulting in a
data race. This has been observed to cause memory corruption.

Note that the race only occurs when both halves of the channel are used
after the Receiver half has called close. Code where close is not used, or where the
Receiver is not awaited and try_recv is not called after calling close,
is not affected.

See tokio#4225 for more details.

See advisory page for additional details.
@delta1
Copy link
Contributor

delta1 commented Nov 17, 2021

There's a whole bunch of deps using tokio v1.13.0 and it looks like tower v0.3.1 is using tokio v0.2.25

delta1 pushed a commit to delta1/tari that referenced this issue Nov 19, 2021
chore: upgrade tokio deps tari-project#3581
b7f7487
@delta1 delta1 mentioned this issue Nov 19, 2021
Merged
@delta1
Copy link
Contributor

delta1 commented Nov 19, 2021

#3595

@delta1 delta1 closed this as completed Nov 19, 2021
aviator-app bot pushed a commit that referenced this issue Nov 19, 2021
chore: upgrade tokio deps #3581 (#3595)
519290c 
Description
---
Upgrades dependencies from cargo audit alerts 

Motivation and Context
---
#3581 

How Has This Been Tested?
---
cargo audit, cargo test
sdbondi added a commit to sdbondi/tari that referenced this issue Nov 22, 2021
@sdbondi
Merge branch 'development' into core-prune-inputs
461a1ec 
* development:
  feat: language detection for mnemonic seed words (tari-project#3590)
  chore: minor clippy fixes (tari-project#3576)
  fix: be more permissive of responses for the incorrect request_id (tari-project#3588)
  feat: track ping failures and disconnect (tari-project#3597)
  chore: upgrade tokio deps tari-project#3581 (tari-project#3595)
  feat: standardize output hash for unblinded output, transaction output and transaction input (tari-project#3592)
  fix: allow bullet proof value only rewinding off one-sided transaction (tari-project#3587)
  refactor: update miningcore repository links (tari-project#3593)
  refactor: clean up unwraps in wallet_ffi (tari-project#3585)
  fix: update daily test start times and seed phrase (tari-project#3584)
  fix: allow bullet proof value only rewinding in atomic swaps (tari-project#3586)
  v0.21.2
  fix: remove delay from last request latency call
sdbondi added a commit to sdbondi/tari that referenced this issue Nov 23, 2021
@sdbondi
Merge branch 'development' into core-remove-double-db-lock
828cccf 
* development: (46 commits)
  refactor: remove tari_common dependency from tari_comms (tari-project#3580)
  feat: language detection for mnemonic seed words (tari-project#3590)
  chore: minor clippy fixes (tari-project#3576)
  fix: be more permissive of responses for the incorrect request_id (tari-project#3588)
  feat: track ping failures and disconnect (tari-project#3597)
  chore: upgrade tokio deps tari-project#3581 (tari-project#3595)
  feat: standardize output hash for unblinded output, transaction output and transaction input (tari-project#3592)
  fix: allow bullet proof value only rewinding off one-sided transaction (tari-project#3587)
  refactor: update miningcore repository links (tari-project#3593)
  refactor: clean up unwraps in wallet_ffi (tari-project#3585)
  fix: update daily test start times and seed phrase (tari-project#3584)
  fix: allow bullet proof value only rewinding in atomic swaps (tari-project#3586)
  v0.21.2
  feat: add atomic swap refund transaction handling (tari-project#3573)
  feat: improve wallet connectivity status for console wallet (tari-project#3577)
  v0.21.1
  feat: add error codes to LibWallet for CipherSeed errors (tari-project#3578)
  ci: split cucumber job into two (tari-project#3583)
  feat(wallet): import utxo’s as EncumberedToBeReceived rather than Unspent (tari-project#3575)
  docs: rfc 0250_Covenants (tari-project#3574)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@delta1