From 3a569e8fa6a87660d445a5a1a793946847358dd5 Mon Sep 17 00:00:00 2001 From: "Heinz N. Gies" Date: Sun, 10 Nov 2024 16:02:00 +0100 Subject: [PATCH] Add advisory for soundness bug in simd-json-derive < 0.12 (#1802) Signed-off-by: Heinz N. Gies --- crates/simd-json-derive/RUSTSEC-0000-0000.md | 28 ++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 crates/simd-json-derive/RUSTSEC-0000-0000.md diff --git a/crates/simd-json-derive/RUSTSEC-0000-0000.md b/crates/simd-json-derive/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..a0301b9723 --- /dev/null +++ b/crates/simd-json-derive/RUSTSEC-0000-0000.md @@ -0,0 +1,28 @@ +```toml +[advisory] + +id = "RUSTSEC-0000-0000" + +package = "simd-json-derive" + +date = "2023-10-14" + + +url = "https://github.com/simd-lite/simd-json-derive/issues/67" + +informational = "unsound" + +categories = [] + +# Freeform keywords which describe this vulnerability, similar to Cargo (optional) +keywords = ["panic", "undefined behavior"] + +[versions] +patched = [">= 0.12.0"] +``` + +# `MaybeUninit` misuse in `simd-json-derive` + +An invalid use of `MaybeUninit::uninit().assume_init()` in `simd-json-derive`'s derive macro can cause undefined behavior. The original code used `MaybeUninit` to avoid initialisation of the struct and then set the fields using `ptr::write`. The undefined behavior triggered by this misuse of `MaybeUninit` can lead to invlaid memory access and panics in binaries compiled in release mode (aka simd-json-derive prior to version 0.12 has UB and optimizes into some nonsense) + +The `0.12.0` removes this section of code, avoiding the use of MaybeUninit alltogether. \ No newline at end of file