ulan commented on issue #3509:
@alexcrichton: do you know if this bug has any security impact?
alexcrichton commented on issue #3509:
@ulan this means that if arbitrary input is fed into
Module::new
then it can causeModule::new
to panic, which can be a form of denial-of-service I believe, but I think that's the impact of this.
ulan commented on issue #3509:
Thanks @alexcrichton. Sorry, I forgot to mention that in a test that I tired the panic happens only in the debug mode. Could it be that the assertion is enabled only in debug mode? If so, could the bug lead to something exploitable in release mode?
In any case, do you think it is worthwhile to merge the fix back in the last two released versions?
alexcrichton commented on issue #3509:
Oh right sorry now I remember what I thought when I was originally thinking about this. Indeed yeah this is a debug assert so the assert doesn't happen in release mode, which means my previous comment is not actually correct because most embeddings are built in release mode.
I remember now though that my conclusion was that this would cause no issues. Nothing bad will happen for bad name section indices in reality and this was mostly just a debug check we needed to fixup. In that sense no need for security backports or anything.
ulan commented on issue #3509:
Happy to hear that! Thanks @alexcrichton.
Last updated: Dec 23 2024 at 13:07 UTC