cvelistv5 - cve-2022-36086

CVE-2022-36086 (GCVE-0-2022-36086)

Vulnerability from cvelistv5

Published

2022-09-07 22:50

Modified

2025-04-22 17:23

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-787 - Out-of-bounds Write

Summary

linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::<usize>` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::<usize>` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::<usize>()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::<usize>()`.

References

►

URL

Tags

security-advisories@github.com	https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j	Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j	Exploit, Mitigation, Third Party Advisory

Impacted products

	Vendor	Product	Version
	rust-osdev	linked-list-allocator	Version: < 0.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:52:00.524Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-36086",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:42:12.682877Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T17:23:22.210Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "linked-list-allocator",
          "vendor": "rust-osdev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-07T22:50:09.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf"
        }
      ],
      "source": {
        "advisory": "GHSA-xg8p-34w2-j49j",
        "discovery": "UNKNOWN"
      },
      "title": "linked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-36086",
          "STATE": "PUBLIC",
          "TITLE": "linked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "linked-list-allocator",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.10.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "rust-osdev"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-787: Out-of-bounds Write"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j",
              "refsource": "CONFIRM",
              "url": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j"
            },
            {
              "name": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf",
              "refsource": "MISC",
              "url": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-xg8p-34w2-j49j",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-36086",
    "datePublished": "2022-09-07T22:50:09.000Z",
    "dateReserved": "2022-07-15T00:00:00.000Z",
    "dateUpdated": "2025-04-22T17:23:22.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-36086\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-09-07T23:15:14.097\",\"lastModified\":\"2024-11-21T07:12:21.270\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`.\"},{\"lang\":\"es\",\"value\":\"linked_list_allocator es un asignador usable en sistemas no_std. En versiones anteriores a 0.10.2, los m\u00e9todos de inicializaci\u00f3n de la pila carec\u00edan de una comprobaci\u00f3n del tama\u00f1o m\u00ednimo para el argumento del tama\u00f1o de la pila. Esto pod\u00eda conllevar a escrituras fuera de l\u00edmites cuando una pila es inicializada con un tama\u00f1o inferior a \\\"3 * size_of::(usize)\\\" debido a las operaciones de escritura de metadatos. Esta vulnerabilidad afecta a todas las funciones de inicializaci\u00f3n de los tipos \\\"Heap\\\" y \\\"LockedHeap\\\", incluyendo \\\"Heap::new\\\", \\\"Heap::init\\\", \\\"Heap::init_from_slice\\\", y \\\"LockedHeap::new\\\". Tambi\u00e9n afecta a m\u00faltiples usos del m\u00e9todo \\\"Heap::extend\\\". La versi\u00f3n 0.10.2 contiene un parche para este problema. Como mitigaci\u00f3n, aseg\u00farese de que la pila s\u00f3lo es inicializada con un tama\u00f1o superior a \\\"3 * size_of::(usize)\\\" y que el m\u00e9todo \\\"Heap::extend\\\" s\u00f3lo es llamado con tama\u00f1os superiores a \\\"2 * size_of::(usize)()\\\". Adem\u00e1s, aseg\u00farese de que el tama\u00f1o total de la pila es (y es mantenido) un m\u00faltiplo de \\\"2 * size_of::(usize)()\\\"\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"},{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rust-osdev:linked-list-allocator:*:*:*:*:*:rust:*:*\",\"versionEndExcluding\":\"0.10.2\",\"matchCriteriaId\":\"D1EB783F-18F3-471C-8006-9949D06163C3\"}]}]}],\"references\":[{\"url\":\"https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T09:52:00.524Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-36086\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:42:12.682877Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:42:14.417Z\"}}], \"cna\": {\"title\": \"linked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`\", \"source\": {\"advisory\": \"GHSA-xg8p-34w2-j49j\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"rust-osdev\", \"product\": \"linked-list-allocator\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.10.2\"}]}], \"references\": [{\"url\": \"https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-119\", \"description\": \"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787: Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-09-07T22:50:09.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-xg8p-34w2-j49j\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003c 0.10.2\"}]}, \"product_name\": \"linked-list-allocator\"}]}, \"vendor_name\": \"rust-osdev\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j\", \"name\": \"https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf\", \"name\": \"https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\"}]}, {\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-787: Out-of-bounds Write\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-36086\", \"STATE\": \"PUBLIC\", \"TITLE\": \"linked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-36086\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-22T17:23:22.210Z\", \"dateReserved\": \"2022-07-15T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-09-07T22:50:09.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

opensuse-su-2024:12469-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

cargo-audit-advisory-db-20221102-1.1 on GA media

Notes

Title of the patch

cargo-audit-advisory-db-20221102-1.1 on GA media

Description of the patch

These are all security issues fixed in the cargo-audit-advisory-db-20221102-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-12469

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "cargo-audit-advisory-db-20221102-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the cargo-audit-advisory-db-20221102-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12469",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12469-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-3602 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-3602/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-36086 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-36086/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-3786 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-3786/"
      }
    ],
    "title": "cargo-audit-advisory-db-20221102-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12469-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-advisory-db-20221102-1.1.aarch64",
                "product": {
                  "name": "cargo-audit-advisory-db-20221102-1.1.aarch64",
                  "product_id": "cargo-audit-advisory-db-20221102-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-advisory-db-20221102-1.1.ppc64le",
                "product": {
                  "name": "cargo-audit-advisory-db-20221102-1.1.ppc64le",
                  "product_id": "cargo-audit-advisory-db-20221102-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-advisory-db-20221102-1.1.s390x",
                "product": {
                  "name": "cargo-audit-advisory-db-20221102-1.1.s390x",
                  "product_id": "cargo-audit-advisory-db-20221102-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-advisory-db-20221102-1.1.x86_64",
                "product": {
                  "name": "cargo-audit-advisory-db-20221102-1.1.x86_64",
                  "product_id": "cargo-audit-advisory-db-20221102-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-advisory-db-20221102-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64"
        },
        "product_reference": "cargo-audit-advisory-db-20221102-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-advisory-db-20221102-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le"
        },
        "product_reference": "cargo-audit-advisory-db-20221102-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-advisory-db-20221102-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x"
        },
        "product_reference": "cargo-audit-advisory-db-20221102-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-advisory-db-20221102-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
        },
        "product_reference": "cargo-audit-advisory-db-20221102-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-3602",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-3602"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-3602",
          "url": "https://www.suse.com/security/cve/CVE-2022-3602"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1204714 for CVE-2022-3602",
          "url": "https://bugzilla.suse.com/1204714"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-3602"
    },
    {
      "cve": "CVE-2022-36086",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-36086"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-36086",
          "url": "https://www.suse.com/security/cve/CVE-2022-36086"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2022-36086"
    },
    {
      "cve": "CVE-2022-3786",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-3786"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.\u0027 character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.\n\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-3786",
          "url": "https://www.suse.com/security/cve/CVE-2022-3786"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1204714 for CVE-2022-3786",
          "url": "https://bugzilla.suse.com/1204714"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20221102-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-3786"
    }
  ]
}

gsd-2022-36086

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-36086

Aliases

CVE-2022-36086

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-36086",
    "description": "linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`.",
    "id": "GSD-2022-36086",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-36086.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-36086"
      ],
      "details": "linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`.",
      "id": "GSD-2022-36086",
      "modified": "2023-12-13T01:19:21.753245Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-36086",
        "STATE": "PUBLIC",
        "TITLE": "linked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "linked-list-allocator",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.10.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "rust-osdev"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-787: Out-of-bounds Write"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j",
            "refsource": "CONFIRM",
            "url": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j"
          },
          {
            "name": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf",
            "refsource": "MISC",
            "url": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-xg8p-34w2-j49j",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rust-osdev:linked-list-allocator:*:*:*:*:*:rust:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.10.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-36086"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-1284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j"
            },
            {
              "name": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-07-21T19:23Z",
      "publishedDate": "2022-09-07T23:15Z"
    }
  }
}

fkie_cve-2022-36086

Vulnerability from fkie_nvd

Published

2022-09-07 23:15

Modified

2024-11-21 07:12

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j	Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j	Exploit, Mitigation, Third Party Advisory

Impacted products

	Vendor	Product	Version
	rust-osdev	linked-list-allocator	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rust-osdev:linked-list-allocator:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "D1EB783F-18F3-471C-8006-9949D06163C3",
              "versionEndExcluding": "0.10.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`."
    },
    {
      "lang": "es",
      "value": "linked_list_allocator es un asignador usable en sistemas no_std. En versiones anteriores a 0.10.2, los m\u00e9todos de inicializaci\u00f3n de la pila carec\u00edan de una comprobaci\u00f3n del tama\u00f1o m\u00ednimo para el argumento del tama\u00f1o de la pila. Esto pod\u00eda conllevar a escrituras fuera de l\u00edmites cuando una pila es inicializada con un tama\u00f1o inferior a \"3 * size_of::(usize)\" debido a las operaciones de escritura de metadatos. Esta vulnerabilidad afecta a todas las funciones de inicializaci\u00f3n de los tipos \"Heap\" y \"LockedHeap\", incluyendo \"Heap::new\", \"Heap::init\", \"Heap::init_from_slice\", y \"LockedHeap::new\". Tambi\u00e9n afecta a m\u00faltiples usos del m\u00e9todo \"Heap::extend\". La versi\u00f3n 0.10.2 contiene un parche para este problema. Como mitigaci\u00f3n, aseg\u00farese de que la pila s\u00f3lo es inicializada con un tama\u00f1o superior a \"3 * size_of::(usize)\" y que el m\u00e9todo \"Heap::extend\" s\u00f3lo es llamado con tama\u00f1os superiores a \"2 * size_of::(usize)()\". Adem\u00e1s, aseg\u00farese de que el tama\u00f1o total de la pila es (y es mantenido) un m\u00faltiplo de \"2 * size_of::(usize)()\""
    }
  ],
  "id": "CVE-2022-36086",
  "lastModified": "2024-11-21T07:12:21.270",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-07T23:15:14.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        },
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1284"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-xg8p-34w2-j49j

Vulnerability from github

Published

2022-09-16 17:41

Modified

2022-09-16 17:41

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

linked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`

Details

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability impacts all the initialization functions on the Heap and LockedHeap types, including Heap::new, Heap::init, Heap::init_from_slice, and LockedHeap::new. It also affects multiple uses of the Heap::extend method.

Initialization Functions

The heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than 3 * size_of::<usize> because of metadata write operations.

`Heap::extend`

This vulnerability impacts three specific uses of the Heap::extend method:

When calling Heap::extend with a size smaller than two usizes (e.g., 16 on x86_64), the size was erroneously rounded up to the minimum size, which could result in an out-of-bounds write.
Calling Heap::extend on an empty heap tried to construct a heap starting at address 0, which is also an out-of-bounds write.
One specific way to trigger this accidentally is to call Heap::new (or a similar constructor) with a heap size that is smaller than two usizes. This was treated as an empty heap as well.
Calling Heap::extend on a heap whose size is not a multiple of the size of two usizes resulted in unaligned writes. It also left the heap in an unexpected state, which might lead to subsequent issues. We did not find a way to exploit this undefined behavior yet (apart from DoS on platforms that fault on unaligned writes).

Patches

Has the problem been patched? What versions should users upgrade to?

We published a patch in version 0.10.2 and recommend all users to upgrade to it. This patch release includes the following changes:

The initialization functions now panic if the given size is not large enough to store the necessary metadata. Depending on the alignment of the heap bottom pointer, the minimum size is between 2 * size_of::<usize> and 3 * size_of::<usize>.
The extend method now panics when trying to extend an unitialized heap.
Extend calls with a size smaller than size_of::<usize>() * 2 are now buffered internally and not added to the list directly. The buffered region will be merged with future extend calls.
The size() method now returns the usable size of the heap, which might be slightly smaller than the top() - bottom() difference because of alignment constraints.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

To avoid this issue, ensure that the heap is only initialized with a size larger than 3 * size_of::<usize> and that the Heap::extend method is only called with sizes larger than 2 * size_of::<usize>(). Also, ensure that the total heap size is (and stays) a multiple of 2 * size_of::<usize>().

For more information

If you have any questions or comments about this advisory: * Open an issue in this repository * Email @phil-opp at security@phil-opp.com

Acknowledgements

This issue was responsibly reported by Evan Richter at ForAllSecure and found with Mayhem and cargo fuzz.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.10.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "linked_list_allocator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-1284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T17:41:33Z",
    "nvd_published_at": "2022-09-07T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method.\n\n### Initialization Functions\n\nThe heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to **_out-of-bound writes_** when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations.\n\n### `Heap::extend`\n\nThis vulnerability impacts three specific uses of the `Heap::extend` method:\n\n- When calling `Heap::extend` with a size smaller than two `usize`s (e.g., 16 on `x86_64`), the size was erroneously rounded up to the minimum size, which could result in an **_out-of-bounds write_**.\n- Calling `Heap::extend` on an empty heap tried to construct a heap starting at address 0, which is also an **_out-of-bounds write_**.\n  - One specific way to trigger this accidentally is to call `Heap::new` (or a similar constructor) with a heap size that is smaller than two `usize`s. This was treated as an empty heap as well.\n- Calling `Heap::extend` on a heap whose size is not a multiple of the size of two `usize`s resulted in _unaligned writes_. It also left the heap in an unexpected state, which might lead to subsequent issues. We did not find a way to exploit this undefined behavior yet (apart from DoS on platforms that fault on unaligned writes).\n\n## Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nWe published a patch in version `0.10.2` and recommend all users to upgrade to it. This patch release includes the following changes:\n\n- The initialization functions now panic if the given size is not large enough to store the necessary metadata. Depending on the alignment of the heap bottom pointer, the minimum size is between `2 * size_of::\u003cusize\u003e` and `3 * size_of::\u003cusize\u003e`.\n- The `extend` method now panics when trying to extend an unitialized heap.\n- Extend calls with a size smaller than `size_of::\u003cusize\u003e() * 2` are now buffered internally and not added to the list directly. The buffered region will be merged with future `extend` calls.\n- The `size()` method now returns the _usable_ size of the heap, which might be slightly smaller than the `top() - bottom()` difference because of alignment constraints.\n\n## Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nTo avoid this issue, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`.\n\n## For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in this repository\n* Email @phil-opp at [security@phil-opp.com](mailto:security@phil-opp.com)\n\n## Acknowledgements\n\nThis issue was responsibly reported by Evan Richter at ForAllSecure and found with [Mayhem](https://forallsecure.com/mayhem-for-code) and [cargo fuzz](https://github.com/rust-fuzz/cargo-fuzz).",
  "id": "GHSA-xg8p-34w2-j49j",
  "modified": "2022-09-16T17:41:33Z",
  "published": "2022-09-16T17:41:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36086"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xg8p-34w2-j49j"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rust-osdev/linked-list-allocator"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0063.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "linked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-36086 (GCVE-0-2022-36086)

Vulnerability from cvelistv5

opensuse-su-2024:12469-1

Vulnerability from csaf_opensuse

gsd-2022-36086

Vulnerability from gsd

fkie_cve-2022-36086

Vulnerability from fkie_nvd

ghsa-xg8p-34w2-j49j

Vulnerability from github

Impact

Initialization Functions

Heap::extend

Patches

Workarounds

For more information

Acknowledgements

Tags

Sightings

Nomenclature

`Heap::extend`