diff --git a/crates/spl-token-swap/RUSTSEC-0000-0000.md b/crates/spl-token-swap/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..7cbdaa097 --- /dev/null +++ b/crates/spl-token-swap/RUSTSEC-0000-0000.md @@ -0,0 +1,37 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "spl-token-swap" +date = "2023-09-28" +url = "https://github.com/solana-labs/solana-program-library/issues/5243" +categories = ["denial-of-service"] +keywords = ["alignment"] + +[versions] +patched = [] +``` + +# Multiple unsoundness issues in public function `instruction::unpack` +The safe function `instruction::unpack` is unsound and accessible to users. + +The safe function allows misaligned pointer dereference: +```rs +use spl_token_swap::instruction::unpack; + +fn main() { + let a: [u8; 3] = [3; 3]; + let up = unpack::(&a).unwrap(); + println!("{}", up); +} +``` +which will lead to panic. + +The function also allows breaking validity invariant, e.g., +```rs +fn main() { + let a: [u8; 3] = [3; 3]; + let up = unpack::(&a).unwrap(); + println!("{}", up); +} +``` +Miri will show that the value of boolean is invalid here.