Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add advisory for Stack-buffer-overflow in xmas-elf #2235

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add advisory for Stack-buffer-overflow in xmas-elf #2235

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
59207d0
Create RUSTSEC-0000-0000.md
nyw0102 Mar 3, 2025
0c68acb
Merge branch 'rustsec:main' into main
nyw0102 Mar 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions crates/xmas-elf/RUSTSEC-0000-0000.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "xmas-elf"
date = "2025-03-03"
url = "https://github.com/nrc/xmas-elf/issues/86"
categories = ["memory-corruption"]

[affected]
functions = { "xmas_elf::hash::HashTable::get_bucket" = ["*"] }

[versions]
patched = []
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a release

```
# Stack-buffer-overflow in HashTable Struct
In this case, the "get_bucket" method within the HashTable struct uses the unsafe keyword to access memory with assert function protection.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs major copy editing. Suggestion:

A maliciously crafted ELF file can present an invalid SectionData HashTable that causes xmas-elf to access memory out of bounds. Absurd values of the bucket_count and chain_count fields can cause a pointer offset of up to 16GB to be read and used. If the actual ELF file is smaller than this offset, memory will be accessed out of bounds.

However, it is still vulnerable because "bucket_count" which stands for the size of hashtable and offset value of the hashtable can be manipulated by users.
When "bucket_count" is set bigger value than first_bucket's actual length, it can lead to invalid memory access which violates Rust’s memory safety guarantees.
Also, as hash.rs is public module, it can be used externally, which means that it is an actual vulnerability.