linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than 3 * size_of::<usize>
because of metadata write operations. This vulnerability impacts all the initialization functions on the Heap
and LockedHeap
types, including Heap::new
, Heap::init
, Heap::init_from_slice
, and LockedHeap::new
. It also affects multiple uses of the Heap::extend
method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than 3 * size_of::<usize>
and that the Heap::extend
method is only called with sizes larger than 2 * size_of::<usize>()
. Also, ensure that the total heap size is (and stays) a multiple of 2 * size_of::<usize>()
.
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Linked-list-allocator | Rust-osdev | * | 0.10.2 (excluding) |
Specified quantities include size, length, frequency, price, rate, number of operations, time, and others. Code may rely on specified quantities to allocate resources, perform calculations, control iteration, etc. When the quantity is not properly validated, then attackers can specify malicious quantities to cause excessive resource allocation, trigger unexpected failures, enable buffer overflows, etc.