CVE-2020-35913

Vulnerability

The lock_api crate provides synchronization primitives like RwLock. Versions before 0.4.2 contain an unsoundness issue in the RwLockReadGuard type, where the Send and Sync trait implementations are incorrectly bounded. This can cause a data race when the guard is used across threads without proper synchronization [2].

Exploitation

The unsoundness stems from the fact that the guard can be sent or shared across threads even when the protected data type does not satisfy the necessary thread-safety requirements. The pull request fixing the issue clarifies that T: Send is required for MutexGuard: Send, but for RwLockReadGuard, both T: Send and T: Sync are needed to guarantee safety [4]. An attacker may exploit this by creating a scenario where a non-Send or non-Sync type is used with RwLock, causing data races and undefined behavior through safe code.

Impact

A data race can lead to memory corruption, inconsistent state, and other undefined behavior. This vulnerability is classified as unsound and can compromise the memory safety guarantees of Rust programs using the affected versions [2].

Mitigation

The issue was addressed in lock_api version 0.4.2. Users should update to this version or later. The fix was implemented in pull request #262, which corrects the auto-trait bounds for lock guards [4]. No workaround is available other than avoiding the affected locking primitives.