Add advisory for potential null pointer deref in futures-task

rustsec · Oct 31, 2020 · 8c7efa1 · 8c7efa1
1 parent 9cd2504
commit 8c7efa1
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/crates/futures-task/RUSTSEC-0000-0000.md b/crates/futures-task/RUSTSEC-0000-0000.md
@@ -0,0 +1,32 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "futures-task"
+date = "2020-05-03"
+url = "https://github.com/rust-lang/futures-rs/issues/2091"
+categories = ["denial-of-service"]
+keywords = ["NULL pointer dereference", "memory-management"]
+[versions]
+patched = [">= 0.3.5"]
+[affected]
+functions = { "futures_task::noop_waker_ref" = [">= 0.3.0"] }
+```
+
+# futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer
+
+Affected versions of the crate used a `UnsafeCell` in thread-local storage to return a noop waker reference,
+assuming that the reference would never be returned from another thread.
+
+This resulted in a segmentation fault crash if `Waker::wake_by_ref()` was called on a waker returned from another thread due to 
+it attempting to dereference a pointer that wasn't accesible from the main thread.
+
+Reproduction Example (from issue):
+```rust
+use futures_task::noop_waker_ref;
+fn main() {
+    let waker = std::thread::spawn(|| noop_waker_ref()).join().unwrap();
+    waker.wake_by_ref();
+}
+```
+
+The flaw was corrected by using a `OnceCell::Lazy<>` wrapper around the noop waker instead of thread-local storage.