Skip to content

Commit

Permalink
add unsound issue in spl-token-swap
Browse files Browse the repository at this point in the history
  • Loading branch information
shinmao committed Sep 28, 2023
1 parent 583c9ab commit 11f2770
Showing 1 changed file with 37 additions and 0 deletions.
37 changes: 37 additions & 0 deletions crates/spl-token-swap/RUSTSEC-0000-0000.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "spl-token-swap"
date = "2023-09-28"
url = "https://github.com/solana-labs/solana-program-library/issues/5243"
categories = ["denial-of-service"]
keywords = ["alignment"]

[versions]
patched = []
```

# Multiple unsoundness issues in public function `instruction::unpack`
The safe function `instruction::unpack` is unsound and accessible to users.

The safe function allows misaligned pointer dereference:
```rs
use spl_token_swap::instruction::unpack;

fn main() {
let a: [u8; 3] = [3; 3];
let up = unpack::<u16>(&a).unwrap();
println!("{}", up);
}
```
which will lead to panic.

The function also allows breaking validity invariant, e.g.,
```rs
fn main() {
let a: [u8; 3] = [3; 3];
let up = unpack::<bool>(&a).unwrap();
println!("{}", up);
}
```
Miri will show that the value of boolean is invalid here.

0 comments on commit 11f2770

Please sign in to comment.