Bug 1632932 (CVE-2018-1000810)

Summary: CVE-2018-1000810 rust: Buffer overflow in str::repeat function in the standard library
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bodavis, igor.raits, jcajka, jistone, jpadman, law, mnewsome, rust-sig, TicoTimo, tstellar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rust 1.29.1 Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow vulnerability was discovered in Rust that affects the `str::repeat` function in the standard library. An attacker could abuse this flaw by controlling the arguments given to `str::repeat` and can cause a Rust program to overflow a buffer in memory, potentially leading to a crash or arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-16 18:12:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1632933, 1632934    
Bug Blocks: 1696271    

Description Pedro Sampaio 2018-09-25 20:27:32 UTC 
As reported in upstream advisory:

# Security adivsory for the Rust standard library - 2018-09-21 

The Rust team was recently notified of a security vulnerability affecting 
the `str::repeat` function in the standard library. If your code does not 
use this function, it is not affected. 

We are applying for a CVE for this vulnerability, but since there is no 
embargo, we have not filed for one yet. Once a CVE is assigned, we'll make a 
second post to make mention of the CVE number. 

## Overview 

This vulnerability is an instance of CWE-680: Integer Overflow to Buffer 
Overflow[1]. 

The `str::repeat` function in the standard library allows repeating a 
string a fixed number of times, returning an owned version of the final 
string. The capacity of the final string is calculated by multiplying 
the length of the string being repeated by the number of copies. This 
calculation can overflow, and this case was not properly checked for. 

The rest of the implementation of `str::repeat` contains unsafe code 
that relies on a preallocated vector having the capacity calculated 
earlier. On integer overflow the capacity will be less than required, 
and which then writes outside of the allocated buffer, leading to 
buffer overflow. 

## Affected Versions 

While the `str::repeat` function has been in Rust since 1.16.0, this 
vulnerability was introduced into the standard library in pull 
request #48657 [2]. The pull request was merged on March 6, 2018 and 
was first part of the 1.26.0 stable released on May 10, 2018. 

As such, this vulnerability affects: 

* Every nightly we've produced since March 6, 2018 
* Every beta produced since March 6, 2018 
* These specific Rust releases: 
  * 1.29.0 
  * 1.28.0 
  * 1.27.2 
  * 1.27.1 
  * 1.27.0 
  * 1.26.2 
  * 1.26.1 
  * 1.26.0 

## Mitigations 

This bug can be mitigated manually by auditing for calls to `str::repeat` 
and testing if the resulting vector's capacity will overflow. If it does, 
then the program should panic. 

For Rust 1.29, we'll be releasing a 1.29.1 on 2018-09-25 with the fix, 
which consists of checking for overflow and deterministically panicking 
if it happens. Nightlies and betas produced after 2019-09-21 will also 
contain a fix for this issue. 

We will not be releasing our own fixes for previous versions of Rust. 
The patch to fix 1.29 should roughly applicable to older versions, although 
the implementation has seen a few refactorings since it was introduced. 
The patch for 1.29 is included at the end of this email. If you 
need assistance patching an older version of Rust on your own, please reach 
out to our security mailing list, secu..., and we'll be happy 
to help. 

The current beta and nightly channels will be updated with a fix for this 
issue as well. 

References:

https://blog.rust-lang.org/2018/09/21/Security-advisory-for-std.html
https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0
Comment 1 Pedro Sampaio 2018-09-25 20:28:39 UTC 
Created rust tracking bugs for this issue:

Affects: epel-7 [bug 1632934]
Affects: fedora-all [bug 1632933]
Comment 2 Scott Gayou 2019-04-04 17:14:55 UTC 
Upstream Commit: https://github.com/rust-lang/rust/pull/54397/commits/1b94b84ad0143ea2039610e3aec9e929a8a20733
Comment 4 Riccardo Schirone 2019-07-15 08:45:23 UTC 
Vulnerability introduced in commit https://github.com/rust-lang/rust/commit/08504fbb0b05abdd9543f08102b0d6275dde210c
Comment 6 Doran Moppert 2019-08-14 03:08:54 UTC 
External References:

https://blog.rust-lang.org/2018/09/21/Security-advisory-for-std.html
Comment 7 Joshua Padman 2019-08-21 02:53:35 UTC 
The version of rust included in devtools compilers is not affected as it is based on a fixed release version.