[stable] std: Check for overflow in str::repeat
#54397
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit fixes a buffer overflow issue in the standard library discovered by Scott McMurray where if a large number was passed to `str::repeat` it may cause and out of bounds write to the buffer of a `Vec`. This bug was accidentally introduced in rust-lang#48657 when optimizing the `str::repeat` function. The bug affects stable Rust releases 1.26.0 to 1.29.0. We plan on backporting this fix to create a 1.29.1 release, and the 1.30.0 release onwards will include this fix. The fix in this commit is to introduce a deterministic panic in the case of capacity overflow. When repeating a slice where the resulting length is larger than the address space, there’s no way it can succeed anyway! The standard library and surrounding libraries were briefly checked to see if there were othere instances of preallocating a vector with a calculation that may overflow. No instances of this bug (out of bounds write due to a calculation overflow) were found at this time. Note that this commit is the first steps towards fixing this issue, we'll be making a formal post to the Rust security list once these commits have been merged.
This was referenced Sep 20, 2018
|
@bors: r+ |
|
📌 Commit 1b94b84 has been approved by |
bors
added
the
S-waiting-on-bors
bors
added a commit
that referenced
this pull request
Sep 20, 2018
[stable] std: Check for overflow in `str::repeat` This commit fixes a buffer overflow issue in the standard library discovered by Scott McMurray where if a large number was passed to `str::repeat` it may cause and out of bounds write to the buffer of a `Vec`. This bug was accidentally introduced in #48657 when optimizing the `str::repeat` function. The bug affects stable Rust releases 1.26.0 to 1.29.0. We plan on backporting this fix to create a 1.29.1 release, and the 1.30.0 release onwards will include this fix. The fix in this commit is to introduce a deterministic panic in the case of capacity overflow. When repeating a slice where the resulting length is larger than the address space, there’s no way it can succeed anyway! The standard library and surrounding libraries were briefly checked to see if there were othere instances of preallocating a vector with a calculation that may overflow. No instances of this bug (out of bounds write due to a calculation overflow) were found at this time. Note that this commit is the first steps towards fixing this issue, we'll be making a formal post to the Rust security list once these commits have been merged.
|
☀️ Test successful - status-appveyor, status-travis |
alexcrichton
added a commit
to alexcrichton/rust
that referenced
this pull request
Sep 25, 2018
Forward-port of rust-lang#54397, should have included it earlier!
alexcrichton
added a commit
to alexcrichton/rust
that referenced
this pull request
Sep 25, 2018
Forward-port of rust-lang#54397, should have included it earlier!
bors
added a commit
that referenced
this pull request
Sep 27, 2018
[beta] Add 1.29.1 release nodes Forward-port of #54397, should have included it earlier!
kennytm
added a commit
to kennytm/rust
that referenced
this pull request
Sep 27, 2018
Add 1.29.1 release notes Forward-port of rust-lang#54397, should have included it earlier!
kennytm
added a commit
to kennytm/rust
that referenced
this pull request
Sep 29, 2018
Add 1.29.1 release notes Forward-port of rust-lang#54397, should have included it earlier!
This was referenced Jun 22, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit fixes a buffer overflow issue in the standard library
discovered by Scott McMurray where if a large number was passed to
str::repeatit may cause and out of bounds write to the buffer of aVec.This bug was accidentally introduced in #48657 when optimizing the
str::repeatfunction. The bug affects stable Rust releases 1.26.0 to1.29.0. We plan on backporting this fix to create a 1.29.1 release, and
the 1.30.0 release onwards will include this fix.
The fix in this commit is to introduce a deterministic panic in the case of
capacity overflow. When repeating a slice where the resulting length is larger
than the address space, there’s no way it can succeed anyway!
The standard library and surrounding libraries were briefly checked to see if
there were othere instances of preallocating a vector with a calculation that
may overflow. No instances of this bug (out of bounds write due to a calculation
overflow) were found at this time.
Note that this commit is the first steps towards fixing this issue,
we'll be making a formal post to the Rust security list once these
commits have been merged.