rustsec · shinmao · Sep 7, 2023 · Sep 7, 2023 · Sep 7, 2023 · Sep 7, 2023
diff --git a/crates/crayon/RUSTSEC-0000-0000.md b/crates/crayon/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "crayon"
+date = "2023-09-06"
+url = "https://github.com/shawnscode/crayon/issues/108"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Uninitialized memory exposure in several safe functions
+The safe functions `DataBuffer::extend`, `DataBuffer::extend_from_slice`, and `video::assets::mesh::IndexFormat::encode` all allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee and expose the uninitialized memory.
diff --git a/crates/data-buffer/RUSTSEC-0000-0000.md b/crates/data-buffer/RUSTSEC-0000-0000.md
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "data-buffer"
+date = "2023-09-06"
+url = "https://github.com/elrnv/buffer/issues/2"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe function `push` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory.
+
+Note: The crate is not maintained anymore.
diff --git a/crates/dtb/RUSTSEC-0000-0000.md b/crates/dtb/RUSTSEC-0000-0000.md
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "dtb"
+date = "2023-08-11"
+url = "https://github.com/ababo/dtb/issues/11"
+informational = "unsound"
+keywords = ["alignment"]
+
+[affected]
+functions = { "dtb::struct_item::transmute_buf" = ["<= 0.2.0"], "dtb::struct_item::value_u32_list" = ["<= 0.2.0"], "dtb::reader::next_item" = ["<= 0.2.0"], "dtb::reader::read_property" = ["<= 0.2.0"], "dtb::reader::get_header" = ["<= 0.2.0"], "dtb::writer::get_reserved_mem" = ["<= 0.2.0"] }
+
+[versions]
+patched = []
+```
+
+# Unsound implementation in several functions
+In function `transmute_buf`, it casted an immutable pointer to mutable pointer leading to undefined behavior. In functions `value_u32_list`, `next_item`, `read_property`, `get_header`, `get_reserved_mem`, they all created misaligned pointer by casting and deref the resulted pointers.
diff --git a/crates/endian-type-rs/RUSTSEC-0000-0000.md b/crates/endian-type-rs/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "endian-type-rs"
+date = "2023-09-04"
+url = "https://gitlab.com/ertos/endian-type-rs/-/issues/1"
+informational = "unsound"
+keywords = ["alignment", "type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Unsound implementation in `from_bytes`
+The safe functions `from_bytes` implemented on `BigEndian` and `LittleEndian` allow `u8` byte slice to cast to arbitrary types. If the arbitrary type is the type aligned to larger bytes such as `u16`, it could create a misaligned pointer and dereference in the function. If the arbitrary type is `bool` which only allows 0/1 as bit patterns, then the function can create an invalid type and leads to undefined behavior
diff --git a/crates/fyrox-core/RUSTSEC-0000-0000.md b/crates/fyrox-core/RUSTSEC-0000-0000.md
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "fyrox-core"
+date = "2023-09-28"
+url = "https://github.com/FyroxEngine/Fyrox/issues/538"
+categories = ["denial-of-service"]
+keywords = ["alignment"]
+
+[versions]
+patched = [">= 0.25.0"]
+```
+
+# Unsound creation of `Vec` from misaligned pointer
+In the function `visit`, the pointer to `u8` was allowed to cast to the pointer of any types implementing the trait `PodVecView`. However, the trait can't stop the misalignment issues from happening. The internal usage of library tried to cast the `u8` pointer to `f32` pointer which could lead to undefined behavior.
+
+The code has been patched and waited for release in latest version.
diff --git a/crates/gfx-backend-gl/RUSTSEC-0000-0000.md b/crates/gfx-backend-gl/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "gfx-backend-gl"
+date = "2023-09-28"
+url = "https://github.com/gfx-rs/gfx/issues/3795"
+categories = ["denial-of-service"]
+keywords = ["alignment"]
+
+[versions]
+patched = []
+```
+
+# Unsound creation of slice from misaligned pointer
+In the function `get`, the pointer to `u8` was allowed to cast to arbitrary types including `f32/f64/i32` which could create a misaligned pointer. When users pass the pointer to `slice::from_raw_parts`, users should guarantee that the pointer is aligned by themselves; otherwise, it could lead to undefined behavior.
diff --git a/crates/granne/RUSTSEC-0000-0000.md b/crates/granne/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "granne"
+date = "2023-09-03"
+url = "https://github.com/granne/granne/issues/25"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows accessing arbitrary `struct` as bytes
+The safe function `write_as_bytes` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `slice::from_raw_parts` and expose the uninitialized memory.
diff --git a/crates/hash-rs/RUSTSEC-0000-0000.md b/crates/hash-rs/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hash-rs"
+date = "2023-08-11"
+url = "https://github.com/asukharev/hash-rs/issues/2"
+informational = "unsound"
+keywords = ["alignment"]
+
+[versions]
+patched = []
+```
+
+# Unsound implementation to misaligned pointer dereference
+Three affected functions `sha1::from`, `sha3::from`, and `sha3::xor_with` all casted the type aligned to 1 byte to larger aligned type, and deref the misaligned pointers to return them. Misaligned pointer dereference would lead to undefined behavior.
diff --git a/crates/libafl/RUSTSEC-0000-0000.md b/crates/libafl/RUSTSEC-0000-0000.md
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "libafl"
+date = "2023-09-20"
+url = "https://github.com/AFLplusplus/LibAFL/issues/1526"
+keywords = ["alignment"]
+
+[versions]
+patched = []
+```
+
+# Create slice from misaligned pointer
+
+In the safe function `post_exec`, the u8 raw pointer was cast to u16 pointer and passed to `core::slice::from_raw_parts_mut` which requires the pointer to be aligned. The unsound implementation could lead to undefined behavior.
+
+Note: The issue has been approved and fixed by authors. The patched version could be released after the pull request got reviewed.
diff --git a/crates/mpack/RUSTSEC-0000-0000.md b/crates/mpack/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "mpack"
+date = "2023-09-06"
+url = "https://github.com/dradtke/mpack/issues/2"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe function `write_ext` allows users to write arbitrary types as bytes into buffer. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory.
diff --git a/crates/pipe-channel/RUSTSEC-0000-0000.md b/crates/pipe-channel/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "pipe-channel"
+date = "2023-09-06"
+url = "https://github.com/bugaevc/pipe-channel/issues/4"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows accessing uninitialized memory in `send` and `recv`
+The safe function `send` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory. In the safe function `recv`, `uninit()` is called on `MaybeUninit` before initialization. In this case, uninitialized memory could be exposed to `slice::from_raw_parts_mut()`.
diff --git a/crates/radixt/RUSTSEC-0000-0000.md b/crates/radixt/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "radixt"
+date = "2023-09-06"
+url = "https://github.com/marekgalovic/radixt/issues/1"
+informational = "unsound"
+keywords = ["misalignment"]
+
+[versions]
+patched = []
+```
+
+# Multiple misaligned pointer dereference in safe functions
+There are several safe functions in the crate made a misaligned pointer dereference and lead to undefined behavior. Simple `cargo test` could reproduce the issue.
diff --git a/crates/rafx-base/RUSTSEC-0000-0000.md b/crates/rafx-base/RUSTSEC-0000-0000.md
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rafx-base"
+date = "2023-09-06"
+url = "https://github.com/aclysma/rafx/issues/255"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe function `memory::any_as_bytes` and `memory::any_slice_as_bytes` both allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory.
+
+Note: Even though the author of the crate claimed that "this project does not follow typical guidance for the usage of unsafe". Based on the violation of office rust safety, we still send the report as a warning.
diff --git a/crates/rendy/RUSTSEC-0000-0000.md b/crates/rendy/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rendy"
+date = "2023-09-06"
+url = "https://github.com/amethyst/rendy/issues/328"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe function `cast_slice` allows users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee and expose the uninitialized memory.
diff --git a/crates/runes/RUSTSEC-0000-0000.md b/crates/runes/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "runes"
+date = "2023-09-06"
+url = "https://github.com/Determinant/runes/issues/2"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Allows uninitialized memory exposure in safe function
+The safe functions `load_prefix` and `save_prefix` both allow users to cast arbitrary types as bytes. If user provides a `struct` type with padding bytes, it could violate the safety guarantee of `func` and expose the uninitialized memory.
diff --git a/crates/skyline/RUSTSEC-0000-0000.md b/crates/skyline/RUSTSEC-0000-0000.md
@@ -0,0 +1,14 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "skyline"
+date = "2023-09-03"
+informational = "unsound"
+url = "https://github.com/ultimate-research/skyline-rs/issues/32"
+
+[versions]
+patched = []
+```
+
+# `hex_dump_ptr` allows uninitialized memory exposure
+The function allows arbitrary types to be cast to `u8` type. If the user-provided type contains padding bytes, then dereference the resulting type would cause to undefined behavior.
diff --git a/crates/spl-token-swap/RUSTSEC-0000-0000.md b/crates/spl-token-swap/RUSTSEC-0000-0000.md
@@ -0,0 +1,37 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "spl-token-swap"
+date = "2023-09-28"
+url = "https://github.com/solana-labs/solana-program-library/issues/5243"
+categories = ["denial-of-service"]
+keywords = ["alignment"]
+
+[versions]
+patched = []
+```
+
+# Multiple unsoundness issues in public function `instruction::unpack`
+The safe function `instruction::unpack` is unsound and accessible to users.  
+
+The safe function allows misaligned pointer dereference:
+```rs
+use spl_token_swap::instruction::unpack;
+
+fn main() {
+    let a: [u8; 3] = [3; 3];
+    let up = unpack::<u16>(&a).unwrap();
+    println!("{}", up);
+}
+```
+which will lead to panic.
+
+The function also allows breaking validity invariant, e.g.,
+```rs
+fn main() {
+    let a: [u8; 3] = [3; 3];
+    let up = unpack::<bool>(&a).unwrap();
+    println!("{}", up);
+}
+```
+Miri will show that the value of boolean is invalid here.
diff --git a/crates/uhyve/RUSTSEC-0000-0000.md b/crates/uhyve/RUSTSEC-0000-0000.md
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "uhyve"
+date = "2023-10-26"
+url = "https://github.com/hermit-os/uhyve/issues/571"
+categories = ["denial-of-service"]
+keywords = ["alignment"]
+
+[versions]
+patched = []
+```
+
+# Unsound implementation lead to misaligned pointer dereference
+There are several functions having unsound implementation which can lead to misaligned pointer dereference. Among these functions, One (`ring_elem`) allows casting `u8` pointer to arbitrary type and dereference it, and other are implementing concrete type casting and lead to same issues.
+
+PoC can be found in link.
diff --git a/crates/unicode_converter/RUSTSEC-0000-0000.md b/crates/unicode_converter/RUSTSEC-0000-0000.md
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "unicode_converter"
+date = "2023-08-11"
+url = "https://github.com/Arkaeriit/unicode_converter/issues/1"
+informational = "unsound"
+keywords = ["alignment"]
+
+[affected]
+functions = { "unicode_converter::endian_aware_byte_streamer::conv_to_u64" = ["< 0.1.2"] }
+
+[versions]
+patched = [">= 0.1.2"]
+```
+
+# Unsound implementation of `conv_to_u64`
+The function casted arbitrary type to `u64` and deref the misaligned pointer. Misaligned pointer dereference would lead to undefined behavior in safe function.
diff --git a/crates/xous/RUSTSEC-0000-0000.md b/crates/xous/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "xous"
+date = "2023-09-11"
+url = "https://github.com/betrusted-io/xous-core/issues/410"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Unsound implementation of `MemoryRange::as_slice` and `as_slice_mut`
+The implementation of functions cast the pointer of any bit patterns to arbitrary types, which can break the validity invariants for types. The functions should be declared as unsafe so that users should take care of the values when they create the pointer. At this timeline, authors of the package has submitted the PR for `unsafe` declaration and still under review.
diff --git a/crates/zub/RUSTSEC-0000-0000.md b/crates/zub/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "zub"
+date = "2023-09-11"
+url = "https://github.com/nilq/zub-vm/issues/14"
+informational = "unsound"
+keywords = ["type-confusion"]
+
+[versions]
+patched = []
+```
+
+# Broken validity invariants in safe functions
+The safe functions `from_float` and `from_tag` allow `f64` to transmute to arbitrary types which could be specified in `TaggedHandle`. The values of `f64` can be illegal for other types such as `bool`. It can break the validity invariants of types in the program.