GHSA-9c9f-7x9p-4wqp: A malicious coder can get unsound access to TCell or TLCell memory

June 17, 2022

This is impossible to do by accident, but by carefully constructing marker types to be covariant, a malicious coder can cheat the singleton check in TCellOwner and TLCellOwner, giving unsound access to cell memory. This could take the form of getting two mutable references to the same memory, or a mutable reference and an immutable reference.

The fix is for the crate to internally force the marker type to be invariant. This blocks the conversion between covariant types which Rust normally allows.

References

github.com/advisories/GHSA-9c9f-7x9p-4wqp
github.com/uazu/qcell
github.com/uazu/qcell/issues/20
rustsec.org/advisories/RUSTSEC-2022-0007.html

Code Behaviors & Features

Detect and mitigate GHSA-9c9f-7x9p-4wqp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →