CVE-2020-36466

Vulnerability

The cgc crate's Ptr type unsafely implements the Send and Sync traits for all types T without requiring T: Send or T: Sync [1][2][3]. This violates Rust's concurrency safety guarantees. Additionally, the get() method returns a mutable reference (&mut T) from an immutable reference (&self), enabling multiple mutable references to the same data, and the set() method writes to the raw pointer without synchronization [3]. The issue affects all versions of the cgc crate through 2020-12-10 [1][2].

Exploitation

An attacker does not require authentication or special privileges; the vulnerability can be exploited by any Rust code that uses the Ptr type with types that are not thread-safe, such as Rc or Cell [3]. By creating a Ptr to an Rc and sending it across threads via Ptr's Send/Sync implementations, an attacker can trigger data races and undefined behavior [3]. Furthermore, calling get() multiple times on the same Ptr yields multiple &mut T references, violating Rust's aliasing rules and leading to undefined behavior [3]. A proof-of-concept provided in the issue demonstrates both scenarios [3].

Impact

Successful exploitation leads to memory corruption, data races, and undefined behavior [1][2][3]. This can result in information disclosure, denial of service, or other security violations depending on the context. The RustSec advisory categorizes this as a memory-corruption and concurrency vulnerability [2].

Mitigation

No patched version of the cgc crate exists [2]. The crate has not been yanked from crates.io [2]. The recommended mitigation is to avoid using this crate altogether [2]. Users should migrate to alternative implementations that enforce proper safety constraints on Send and Sync and follow Rust's aliasing rules.