|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Security advisory for the standard library" |
| 4 | +author: The Rust Core Team |
| 5 | +--- |
| 6 | + |
| 7 | +This is a cross-post of the official security advisory published at https://groups.google.com/forum/#!topic/rustlang-security-announcements/aZabeCMUv70 |
| 8 | + |
| 9 | +That link contains a signed version with our PGP key, as well. |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +The Rust team was recently notified of a security vulnerability affecting |
| 14 | +manual implementations of `Error::type_id` and their interaction with the |
| 15 | +`Error::downcast` family of functions in the standard library. If your code |
| 16 | +does not manually implement `Error::type_id` your code is not affected. |
| 17 | + |
| 18 | +We are applying for a CVE for this vulnerability, but since there is no |
| 19 | +embargo, we have not filed for one yet. Once a CVE is assigned, we'll make a |
| 20 | +second post to make mention of the CVE number. |
| 21 | + |
| 22 | +## Overview |
| 23 | + |
| 24 | +The `Error::type_id` function in the standard library was stabilized in the |
| 25 | +1.34.0 release on 2019-04-11. This function allows acquiring the concrete |
| 26 | +`TypeId` for the underlying error type to downcast back to the original type. |
| 27 | +This function has a default implementation in the standard library, but it can |
| 28 | +also be overridden by downstream crates. For example, the following is |
| 29 | +currently allowed on Rust 1.34.0 and Rust 1.34.1: |
| 30 | + |
| 31 | +```rust |
| 32 | +struct MyType; |
| 33 | + |
| 34 | +impl Error for MyType { |
| 35 | + fn type_id(&self) -> TypeId { |
| 36 | + // Enable safe casting to `String` by accident. |
| 37 | + TypeId::of::<String>() |
| 38 | + } |
| 39 | +} |
| 40 | +``` |
| 41 | + |
| 42 | +When combined with the `Error::downcast*` family of methods this can enable |
| 43 | +safe casting of a type to the wrong type, causing security issues such as out |
| 44 | +of bounds reads/writes/etc. |
| 45 | + |
| 46 | +Prior to the 1.34.0 release this function was not stable and could not be |
| 47 | +either implemented or called in stable Rust. |
| 48 | + |
| 49 | +## Affected Versions |
| 50 | + |
| 51 | +The `Error::type_id` function was first stabilized in Rust 1.34.0, released on |
| 52 | +2019-04-11. The Rust 1.34.1 release, published 2019-04-25, is also affected. |
| 53 | +The `Error::type_id` function has been present, unstable, for all releases of |
| 54 | +Rust since 1.0.0 meaning code compiled with nightly may have been affected at |
| 55 | +any time. |
| 56 | + |
| 57 | +## Mitigations |
| 58 | + |
| 59 | +Immediate mitigation of this bug requires removing manual implementations of |
| 60 | +`Error::type_id`, instead inheriting the default implementation which is |
| 61 | +correct from a safety perspective. It is not the intention to have |
| 62 | +`Error::type_id` return `TypeId` instances for other types. |
| 63 | + |
| 64 | +For long term mitigation we are going to destabilize this function. This is |
| 65 | +unfortunately a breaking change for users calling `Error::type_id` and for |
| 66 | +users overriding `Error::type_id`. For users overriding it's likely memory |
| 67 | +unsafe, but users calling `Error::type_id` have only been able to do so on |
| 68 | +stable for a few weeks since the last 1.34.0 release, so it's thought that the |
| 69 | +impact will not be too great to overcome. |
| 70 | + |
| 71 | +We will be releasing a 1.34.2 point release on 2019-05-14 (tomorrow) which |
| 72 | +reverts [#58048][1] and destabilizes the `Error::type_id` function. The |
| 73 | +upcoming 1.35.0 release along with the beta/nightly channels will also all be |
| 74 | +updated with a destabilization. |
| 75 | + |
| 76 | +The final fate of the `Error::type_id` API isn't decided upon just yet and is |
| 77 | +the subject of [#60784][2]. No action beyond destabilization is currently |
| 78 | +planned so nightly code may continue to exhibit this issue. We hope to fully |
| 79 | +resolve this in the standard library soon. |
| 80 | + |
| 81 | +## Timeline of events |
| 82 | + |
| 83 | +* Thu, May 9, 2019 at 14:07 PM - Bug reported to [email protected] |
| 84 | +* Thu, May 9, 2019 at 15:10 PM - Alex reponds, confirming the bug |
| 85 | +* Fri, May 10, 2019 - Plan for mitigation developed and implemented |
| 86 | +* Mon, May 13, 2019 - PRs posted to GitHub for [stable][3]/[beta][4]/[master][5] branches |
| 87 | +* Mon, May 13, 2019 - Security list informed of this issue |
| 88 | +* (planned) Tue, May 14, 2019 - Rust 1.34.2 is released with a fix for this issue |
| 89 | + |
| 90 | +## Acknowledgements |
| 91 | + |
| 92 | +Thanks to Sean McArthur, who found this bug and reported it to us in accordance |
| 93 | +with our security policy https://www.rust-lang.org/policies/security. |
| 94 | + |
| 95 | +[1]: https://github.com/rust-lang/rust/pull/58048 |
| 96 | +[2]: https://github.com/rust-lang/rust/issues/60784 |
| 97 | +[3]: https://github.com/rust-lang/rust/pull/60785 |
| 98 | +[4]: https://github.com/rust-lang/rust/pull/60786 |
| 99 | +[5]: https://github.com/rust-lang/rust/pull/60787 |
0 commit comments