Unsound Sync implementation for ImmediateIO and TransactionalIO
#1
Comments
|
Heads up: this issue has been included in the RustSec advisory database. It will be surfaced by tools such as cargo-audit or cargo-deny from now on. Once a fix is released to crates.io, please open a pull request to update the advisory with the patched version, or file an issue on the advisory database repository. |
|
First of all thank you @Qwaz for the report, and apologies for somehow missing the original notification. I'll test the suggested fix as soon as I am able and publish an update. |
edarc
added a commit
that referenced
this issue
Mar 30, 2021
…0152 aka #1. Unsafe impls of Sync for both of these structs are removed, and Send bounds are introduced where necessary to allow Sync to be properly deduced instead. The unsafe impls were introduced due to an incorrect analysis of why Sync was not being auto-deduced as expected for these structs. The removed comment explains the original flawed analysis, which attributed it to the presence of a struct member of type PhantomData<EI>, under the assumption that the only "real" value of type EI in the struct is ultimately inside an IOMutex that should bless it with Sync-ness regardless if EI is itself Sync. In fact, Sync was not being deduced due to the absence of a *Send* bound on the type EI, which is required for Expander<EI> to be Send, which is required for IOMutex<Expander<EI>> to be *Sync*. The presence of the PhantomData<EI> member turns out to be entirely irrelevant. The bug could theoretically result in a data race if either type is used with an EI that is not safe to send between threads. This is a breaking change due to the addition of a trait bound in the public API.
|
This is fixed in 0.2.0. Additionally, the crate now no longer has any |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello fellow Rustacean,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.
Issue Description
max7301/src/expander/immediate.rs
Lines 23 to 28 in a2084de
max7301/src/expander/transactional.rs
Lines 65 to 70 in a2084de
ImmediateIOandTransactionIOimplementSyncforM: IOMutex<Expander<EI>>, EI: ExpanderInterface. This bound is seemingly unsound; it allows to send a reference ofImmediateIOorTransactionIOto another thread, and from there a mutable reference ofExpander<EI>can be accessed throughIOMutexAPIs. This could result in a thread-safety violation whenEIis a non-Send type.We suggest to add an
Expander<EI>: Sendbound (or an equivalentEI: Sendbound) to thoseSyncimplementations, following the stdlib Mutex's Sync implementation.The text was updated successfully, but these errors were encountered: