Skip to content

Default functions in VolatileMemory trait lack bounds checks, potentially leading to out-of-bounds memory accesses

Low
roypat published GHSA-49hh-fprx-m68g Sep 1, 2023

Package

cargo vm-memory (Rust)

Affected versions

<0.12.2

Patched versions

0.12.2

Description

Impact

An issue was discovered in the default implementations of the VolatileMemory::{get_atomic_ref, aligned_as_ref, aligned_as_mut, get_ref, get_array_ref} trait functions, which allows out-of-bounds memory access if the VolatileMemory::get_slice function returns a VolatileSlice whose length is less than the function’s count argument. No implementations of get_slice provided in vm_memory are affected. Users of custom VolatileMemory implementations may be impacted if the custom implementation does not adhere to get_slice's documentation.

Patches

The issue started in version 0.1.0 but was fixed in version 0.12.2 by inserting a check that verifies that the VolatileSlice returned by get_slice is of the correct length.

Workarounds

Not Required

References

aff1dd4
https://crates.io/crates/vm-memory/0.12.2

Severity

Low

CVE ID

CVE-2023-41051

Weaknesses

No CWEs

Credits