Skip to content

Zip may call __iterator_get_unchecked twice with the same index #82291

New issue
New issue
Closed
#82292
Closed
Zip may call __iterator_get_unchecked twice with the same index#82291
#82292

Description

@SkiFire13

SkiFire13
openedon Feb 19, 2021

Here __iterator_get_unchecked is called for potential side effects until self.index == self.a.size(), ignoring however that it could have already been called in next_back with those indexes.

rust/library/core/src/iter/adapters/zip.rs

Lines 200 to 208 in 0148b97

} else if A::may_have_side_effect() && self.index < self.a.size() {
let i = self.index;
self.index += 1;
// match the base implementation's potential side effects
// SAFETY: we just checked that `i` < `self.a.len()`
unsafe {
self.a.__iterator_get_unchecked(i);
}
None

Playground link that demonstrates how this can be exploited to get two mutable references to the same data and cause an use-after-free bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-criticalCritical priorityT-libsRelevant to the library team, which will review and decide on the PR/issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions