<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Thin-Vec - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/thin-vec/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/thin-vec/feed.xml" rel="self" type="application/rss+xml"/><item><title>thin-vec Double Free / Use-After-Free Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-thin-vec-double-free/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-thin-vec-double-free/</guid><description>A double free/use-after-free vulnerability exists in the `thin_vec` crate before version 0.2.16, specifically in the `IntoIter::drop` and `ThinVec::clear` implementations, which can be triggered via a panic during element deallocation, leading to memory corruption and potential arbitrary code execution.</description><content:encoded><![CDATA[<p>A double free/use-after-free vulnerability has been identified in the <code>thin_vec</code> crate, affecting versions prior to 0.2.16. The vulnerability resides in the <code>IntoIter::drop</code> and <code>ThinVec::clear</code> implementations. The root cause is a failure to properly handle panics during element deallocation, leading to a double free when the container is dropped again during stack unwinding. This vulnerability can be triggered using safe Rust code, without requiring <code>unsafe</code> blocks. Miri and AddressSanitizer (ASAN) have confirmed the undefined behavior. Exploitation can lead to memory corruption and, when combined with <code>Box&lt;dyn Trait&gt;</code> types, potentially arbitrary code execution through heap spray and vtable hijacking. Defenders should be aware of the risk associated with using vulnerable versions of the <code>thin_vec</code> crate.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An application uses the <code>thin_vec</code> crate version prior to 0.2.16.</li>
<li>The application creates a <code>ThinVec</code> containing heap-owning types like <code>String</code>, <code>Vec</code>, or <code>Box</code>.</li>
<li>Either <code>into_iter()</code> is called, and the iterator is dropped before complete consumption, or <code>clear()</code> is directly invoked on the <code>ThinVec</code>.</li>
<li>During the deallocation of elements (either in <code>IntoIter::drop</code> or <code>ThinVec::clear</code>), the <code>Drop</code> implementation of one of the elements triggers a panic.</li>
<li>Due to the panic, the <code>set_len(0)</code> function is not executed, leaving the <code>ThinVec</code> with an incorrect length.</li>
<li>The <code>ThinVec</code> is dropped again during stack unwinding (in the <code>IntoIter::drop</code> case) or when it goes out of scope (in the <code>ThinVec::clear</code> case).</li>
<li>The already-freed memory is freed again, resulting in a double free or use-after-free.</li>
<li>If combined with <code>Box&lt;dyn Trait&gt;</code> types, an attacker might be able to reclaim the freed memory with a fake vtable via heap spraying, potentially leading to arbitrary code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability can lead to memory corruption and denial of service. If the freed memory is reclaimed by an attacker, it could lead to arbitrary code execution, especially when combined with <code>Box&lt;dyn Trait&gt;</code> types. The vulnerability affects all code using the <code>thin_vec</code> crate prior to version 0.2.16. Successful exploitation requires specific conditions to be met, including the presence of heap-owning types in the <code>ThinVec</code> and a panic occurring during the <code>Drop</code> implementation of an element.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>thin-vec</code> crate to version 0.2.16 or later to remediate the vulnerability (<a href="https://github.com/advisories/GHSA-xphw-cqx3-667j">https://github.com/advisories/GHSA-xphw-cqx3-667j</a>).</li>
<li>If upgrading is not immediately feasible, carefully review the <code>Drop</code> implementations of types stored in <code>ThinVec</code> to ensure they cannot panic.</li>
<li>Monitor application logs for unexpected panics during the deallocation of <code>ThinVec</code> elements.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>use-after-free</category><category>double-free</category><category>memory-corruption</category><category>rust</category><category>thin-vec</category></item></channel></rss>