Skip to content

Use after free in core::iter::repeat_n #130140

New issue
New issue
Closed
#130145
Closed
Use after free in core::iter::repeat_n#130140
#130145

Description

@jwong101

jwong101
openedon Sep 9, 2024

core::iter::repeat_n currently unconditionally derives Clone. However,
it will also drop its inner object if n is 0, which can cause a UAF if it's cloned afterwards.

use std::rc::Rc;
fn main() {
    let mut c = [0; 100];
    let x = std::iter::repeat_n(Rc::new(0), 0);
    let y = Box::new(&mut c);
    for _ in 0..100 {
        _ = x.clone();
    }
    y.fill(0);
}

Running the above program segfaults:

Exited with signal 11 (SIGSEGV): segmentation violation
Standard Error
   Compiling playground v0.0.1 (/playground)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.42s
     Running `target/debug/playground`

Edit: Made the segfault quicker/more reliable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

A-iteratorsArea: IteratorsC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-criticalCritical priorityT-libsRelevant to the library team, which will review and decide on the PR/issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions