Unsoundness in nalgebra's serde Deserialize implementation #880
Comments
|
(cough https://rust-lang.github.io/rust-clippy/master/index.html#unsafe_derive_deserialize should probably not be an allow-by-default lint cough) |
|
@thomcc: was not aware of this lint! It's great that it's implemented, but, as you say, if it's not linted by default then many people are likely to be unaware of its existence... |
|
This source of unsoundness should have been resolved in I don't know whether to close the issue or not, since it still affects older versions. I'm not sure exactly how issues here are supposed to be used. (I suppose ideally there'd be a proper advisory but I have no experience with them and I am still unable to devote the time to look into it) |
|
@austinhartzheim: that's awesome, thanks! I think with this I can close this issue. |
We recently discovered a soundness issue related to the Deserialize implementation of
nalgebra::VecStorage, which is the backing storage for any dynamically sized matrix/vector.nalgebrarelies on a certain invariant so that it's sound to avoid some bounds checks in unsafe code. This is at the very least a soundness issue, but I believe it is possible for a malicious attacker to exploit this if an application is usingserdeto deserialize matrices/vectors from an untrusted source (for example, one can imagine a game or application usingserdeserialization over the network). By manipulating the input it is possible to induce unsound out-of-bounds reads and writes. As far as I know, this would apply to a wide range ofnalgebraversions going back a long time.Unfortunately I'm strapped for time and not able to file a formal advisory. I hope nonetheless that this issue is useful and adheres to the spirit of this project.
The text was updated successfully, but these errors were encountered: