From eeb2443cdbe0eebb1c4db3ddd2c6819ccba5f046 Mon Sep 17 00:00:00 2001 From: Shihao Xia Date: Thu, 27 Mar 2025 21:35:59 -0400 Subject: [PATCH 1/5] init --- crates/redox_uefi_std/RUSTSEC-0000-0000.md | 47 ++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 crates/redox_uefi_std/RUSTSEC-0000-0000.md diff --git a/crates/redox_uefi_std/RUSTSEC-0000-0000.md b/crates/redox_uefi_std/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..15300e402f --- /dev/null +++ b/crates/redox_uefi_std/RUSTSEC-0000-0000.md @@ -0,0 +1,47 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "redox_uefi_std" +date = "2025-03-27" +url = "https://gitlab.redox-os.org/redox-os/uefi/-/tree/master/crates/uefi_std" +informational = "unsound" +categories = ["memory-corruption"] +keywords = ["out-of-bounds read"] + +``` + +# Safe API can cause heap-buffer-overflow + +In redox_uefi_std's src/ffi.rs: +```rust +pub fn nstr(wstring: *const u16) -> String { + let mut string = String::new(); + + let mut i = 0; + loop { + let w = unsafe { *wstring.offset(i) }; + i += 1; + if w == 0 { + break; + } + let c = unsafe { char::from_u32_unchecked(w as u32) }; + string.push(c); + } + + string +} +``` + +Any non-zero ended array of type-mimatch(casted from u8 array) can easily cause heap buffer overflow +```example +fn main() { + let wstring:Vec = vec![0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x12]; + let wstring_ptr = wstring.as_ptr() as *const u16; + let string = nstr(wstring_ptr); +} +``` + +ASAN output +``` +==1219432==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000014 at pc 0x55c4566796c2 bp 0x7ffc1f81e530 sp 0x7ffc1f81e528 +``` \ No newline at end of file From 5fd50fa90a263a0d9ff3681e250e0b806c77ccf3 Mon Sep 17 00:00:00 2001 From: Shihao Xia Date: Fri, 25 Apr 2025 15:19:48 -0400 Subject: [PATCH 2/5] fix linting issue --- crates/redox_uefi_std/RUSTSEC-0000-0000.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crates/redox_uefi_std/RUSTSEC-0000-0000.md b/crates/redox_uefi_std/RUSTSEC-0000-0000.md index 15300e402f..f08d84c26b 100644 --- a/crates/redox_uefi_std/RUSTSEC-0000-0000.md +++ b/crates/redox_uefi_std/RUSTSEC-0000-0000.md @@ -8,6 +8,10 @@ informational = "unsound" categories = ["memory-corruption"] keywords = ["out-of-bounds read"] +[versions] +patched = [] +unaffected = [] + ``` # Safe API can cause heap-buffer-overflow From bfa7a290c29a02252eae891f985d47ab4b4a611a Mon Sep 17 00:00:00 2001 From: Shihao Xia Date: Tue, 6 May 2025 02:10:47 -0400 Subject: [PATCH 3/5] update affected function --- crates/redox_uefi_std/RUSTSEC-0000-0000.md | 41 ++++------------------ 1 file changed, 6 insertions(+), 35 deletions(-) diff --git a/crates/redox_uefi_std/RUSTSEC-0000-0000.md b/crates/redox_uefi_std/RUSTSEC-0000-0000.md index f08d84c26b..0a896be3c4 100644 --- a/crates/redox_uefi_std/RUSTSEC-0000-0000.md +++ b/crates/redox_uefi_std/RUSTSEC-0000-0000.md @@ -7,45 +7,16 @@ url = "https://gitlab.redox-os.org/redox-os/uefi/-/tree/master/crates/uefi_std" informational = "unsound" categories = ["memory-corruption"] keywords = ["out-of-bounds read"] +url = "https://gitlab.redox-os.org/redox-os/uefi/-/commit/b711d47e815665b0ec8949e39292ad8e3fdd0756" + +[affected.functions] +"redox_uefi_std::ffi::nstr" = [">= 0.1.8, < 0.1.14"] [versions] -patched = [] -unaffected = [] +patched = [">= 0.1.14"] +unaffected = ["< 0.1.8"] ``` # Safe API can cause heap-buffer-overflow -In redox_uefi_std's src/ffi.rs: -```rust -pub fn nstr(wstring: *const u16) -> String { - let mut string = String::new(); - - let mut i = 0; - loop { - let w = unsafe { *wstring.offset(i) }; - i += 1; - if w == 0 { - break; - } - let c = unsafe { char::from_u32_unchecked(w as u32) }; - string.push(c); - } - - string -} -``` - -Any non-zero ended array of type-mimatch(casted from u8 array) can easily cause heap buffer overflow -```example -fn main() { - let wstring:Vec = vec![0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x12]; - let wstring_ptr = wstring.as_ptr() as *const u16; - let string = nstr(wstring_ptr); -} -``` - -ASAN output -``` -==1219432==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000014 at pc 0x55c4566796c2 bp 0x7ffc1f81e530 sp 0x7ffc1f81e528 -``` \ No newline at end of file From 935d64428600e4343b0327425d7a421123516781 Mon Sep 17 00:00:00 2001 From: Shihao Xia Date: Tue, 6 May 2025 02:12:04 -0400 Subject: [PATCH 4/5] fix linting --- crates/redox_uefi_std/RUSTSEC-0000-0000.md | 1 - 1 file changed, 1 deletion(-) diff --git a/crates/redox_uefi_std/RUSTSEC-0000-0000.md b/crates/redox_uefi_std/RUSTSEC-0000-0000.md index 0a896be3c4..cde2b36457 100644 --- a/crates/redox_uefi_std/RUSTSEC-0000-0000.md +++ b/crates/redox_uefi_std/RUSTSEC-0000-0000.md @@ -3,7 +3,6 @@ id = "RUSTSEC-0000-0000" package = "redox_uefi_std" date = "2025-03-27" -url = "https://gitlab.redox-os.org/redox-os/uefi/-/tree/master/crates/uefi_std" informational = "unsound" categories = ["memory-corruption"] keywords = ["out-of-bounds read"] From d1edb3468f651fe4b30946aeaf7b684585c6183f Mon Sep 17 00:00:00 2001 From: Shihao Xia Date: Tue, 6 May 2025 10:52:10 -0400 Subject: [PATCH 5/5] add desc --- crates/redox_uefi_std/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/redox_uefi_std/RUSTSEC-0000-0000.md b/crates/redox_uefi_std/RUSTSEC-0000-0000.md index cde2b36457..744e08fb19 100644 --- a/crates/redox_uefi_std/RUSTSEC-0000-0000.md +++ b/crates/redox_uefi_std/RUSTSEC-0000-0000.md @@ -18,4 +18,4 @@ unaffected = ["< 0.1.8"] ``` # Safe API can cause heap-buffer-overflow - +ffi::nstr() should be marked unsafe, since a pointer to a buffer without a trailing 0 value will cause a heap buffer overflow.