Memory Corruption Affecting mopa package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-MOPA-1569885
- published26 Aug 2021
- disclosed1 Jun 2021
- creditUnknown
Introduced: 1 Jun 2021
CVE-2021-45695 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
mopa is a macro to implement all the Any methods on your own trait.
Affected versions of this package are vulnerable to Memory Corruption. The mopa crate redefines the deprecated TraitObject struct from core::raw like so:
#[repr(C)]
#[derive(Copy, Clone)]
#[doc(hidden)]
pub struct TraitObject {
pub data: *mut (),
pub vtable: *mut (),
}
This is done to then transmute a reference to a trait object (&dyn Trait for any trait Trait) into this struct and retrieve the data field for the purpose of downcasting. This is used to implement downcast_ref_unchecked(), in terms of which downcast_ref() is also implemented. Same goes for mutable reference downcasting and Box downcasting.
The Rust compiler explicitly reserves the right to change the memory layout of &dyn Trait for any trait Trait. The worst case scenario is that it swaps data and vtable, making an executable location breach and compromisation of ASLR possible, since reads from data would read vtable instead. Likewise, arbitrary code execution is also theoretically possible if reads of vtable generated by the compiler read data instead.
While, as of Rust 1.52, this unsound assumption still holds true, updating the compiler may silently create UB in a crate which previously compiled and run without issues, compromising the security of builds which are believed to be reproducible.
A potential strategy to resolve this has already been suggested in an issue on the GitHub repository of the crate.