GHSA-h6xm-c6r4-vmwf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h6xm-c6r4-vmwf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-h6xm-c6r4-vmwf/GHSA-h6xm-c6r4-vmwf.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-h6xm-c6r4-vmwf
- Published
- 2024-12-23T19:29:44Z
- Modified
- 2024-12-23T19:29:44Z
- Summary
- Unsound usages of `u8` type casting in spl-token-swap
- Details
-
The library provides a safe public API
unpackto castu8array to arbitrary types, which can cause to undefined behaviors. The length check of array can only prevent out-of-bound access on the return type. However, it can't prevent misaligned pointer when castingu8pointer to a type aligned to larger bytes. For example, if we assignu16toT, misaligned raw pointer dereference could happen and cause to panic. Even if we pass the type aligned to same byte asu8(e.g.,bool), it could construct a illegal type sinceboolcan only have 0 or 1 as bit patterns, which is also an undefined behavior. The further exploits of the bug here are still not clear, so we would report this issue as unsound.The details of PoC to reproduce undefined behavior are provided in the issue.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-12-23T19:29:44Z" }- References
Affected packages
crates.io / spl-token-swap
Package
- Name
- spl-token-swap
- View open source insights on deps.dev
- Purl
- pkg:cargo/spl-token-swap