diff --git a/crates/anyhow/RUSTSEC-0000-0000.md b/crates/anyhow/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..e12f13d1db --- /dev/null +++ b/crates/anyhow/RUSTSEC-0000-0000.md @@ -0,0 +1,70 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "anyhow" +date = "2026-06-25" +url = "https://github.com/dtolnay/anyhow/issues/451" +informational = "unsound" +categories = ["memory-corruption"] +keywords = ["unsound", "downcast_mut"] + +[affected.functions] +"anyhow::Error::downcast_mut" = ["< 1.0.103"] + +[versions] +patched = [">= 1.0.103"] +``` + +# Unsoundness in `Error::downcast_mut()` + +Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to an error via `Error::context` and then later calls `Error::downcast_mut` on the returned `Error`. + +The flaw was corrected in commit `6e8c000` by revising how the mutable reference is constructed, avoiding inclusion of a shared reference in the resulting borrow chain. + +## Example + +```rust +use anyhow::Error; +use std::fmt; + +#[derive(Debug)] +struct ErrorContext(&'static str); + +impl fmt::Display for ErrorContext { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + fmt::Display::fmt(&self.0, f) + } +} + +fn main() { + let mut error = Error::msg("inner error").context(ErrorContext("old context")); + let context: &mut ErrorContext = error.downcast_mut().unwrap(); + context.0 = "new context"; + println!("{:?}", error); +} +``` + +## Miri output + +``` +error: Undefined Behavior: trying to retag from <1538> for Unique permission at alloc602[0x38], but that tag only grants SharedReadOnly permission for this location + --> src/ptr.rs:170:18 + | +170 | unsafe { &mut *self.ptr.as_ptr() } + | ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc602[0x38..0x48] + | + = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental + = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information +help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48] + --> src/ptr.rs:89:18 + | + 89 | ptr: NonNull::from(ptr), + | ^^^^^^^^^^^^^^^^^^ + = note: stack backtrace: + 0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut + at src/ptr.rs:170:18: 170:41 + 1: anyhow::error::::downcast_mut:: + at src/error.rs:560:18: 560:46 + 2: main + at examples/downcast_mut.rs:15:38: 15:58 +``` diff --git a/crates/eyre/RUSTSEC-0000-0000.md b/crates/eyre/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..3c134a8bac --- /dev/null +++ b/crates/eyre/RUSTSEC-0000-0000.md @@ -0,0 +1,69 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "eyre" +date = "2026-06-26" +url = "https://github.com/eyre-rs/eyre/issues/285" +informational = "unsound" +categories = ["memory-corruption"] +keywords = ["unsound", "downcast_mut"] + +[affected.functions] +"eyre::Report::downcast_mut" = ["<= 0.6.12"] + +[versions] +patched = [] +# patched = ["> 0.6.12"] # Include if fix lands in 0.6.13 +``` + +# Unsoundness in `Report::downcast_mut()` + +Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to a report via `Report::wrap_err` and then later calls `Report::downcast_mut` on the returned `Report`. + + + + +## Example + +```rust +use eyre::Report; +use std::fmt; + +#[derive(Debug)] +struct ErrorContext(&'static str); + +impl fmt::Display for ErrorContext { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + fmt::Display::fmt(&self.0, f) + } +} + +fn main() { + let mut error = Report::msg("inner error").wrap_err(ErrorContext("old context")); + let context: &mut ErrorContext = error.downcast_mut().unwrap(); + context.0 = "new context"; + println!("{:?}", error); +} +``` + +## Miri output + +``` +error: Undefined Behavior: trying to retag from <1130> for Unique permission at alloc540[0x18], but that tag only grants SharedReadOnly permission for this location + --> /home/dfranke/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/non_null.rs:478:18 + | +478 | unsafe { &mut *self.as_ptr() } + | ^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc540[0x18..0x28] + | + = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental + = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information +help: <1130> was created by a SharedReadOnly retag at offsets [0x18..0x28] + --> eyre/src/error.rs:746:19 + = note: stack backtrace: + 0: std::ptr::NonNull::::as_mut::<'_> + at /home/dfranke/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/non_null.rs:478:18: 478:37 + 1: eyre::error::::downcast_mut:: + at eyre/src/error.rs:447:18: 447:43 + 2: main + at eyre/examples/downcast_mut.rs:15:38: 15:58 +``` diff --git a/crates/miette/RUSTSEC-0000-0000.md b/crates/miette/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..57ad714c99 --- /dev/null +++ b/crates/miette/RUSTSEC-0000-0000.md @@ -0,0 +1,70 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "miette" +date = "2026-05-31" +url = "https://github.com/zkat/miette/issues/469" +informational = "unsound" +categories = ["memory-corruption"] +keywords = ["unsound", "downcast_mut"] + +[affected.functions] +"miette::Report::downcast_mut" = ["<= 7.6.0"] + +[versions] +patched = [] +``` + +# Unsoundness in `Report::downcast_mut()` + +Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to a report via `Report::wrap_err` and then later calls `Report::downcast_mut` on the returned `Report`. + +No fix is currently available. + +## Example + +```rust +use miette::Report; +use std::fmt; + +#[derive(Debug)] +struct ErrorContext(&'static str); + +impl fmt::Display for ErrorContext { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + fmt::Display::fmt(&self.0, f) + } +} + +fn main() { + let mut error = Report::msg("inner error").wrap_err(ErrorContext("old context")); + let context: &mut ErrorContext = error.downcast_mut().unwrap(); + context.0 = "new context"; + println!("{:?}", error); +} +``` + +## Miri output + +``` +error: Undefined Behavior: trying to retag from <1114> for Unique permission at alloc534[0x18], but that tag only grants SharedReadOnly permission for this location + --> src/eyreish/ptr.rs:172:9 + | +172 | &mut *self.ptr.as_ptr() + | ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc534[0x18..0x28] + | + = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental + = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information +help: <1114> was created by a SharedReadOnly retag at offsets [0x18..0x28] + --> src/eyreish/ptr.rs:89:18 + | + 89 | ptr: NonNull::from(ptr), + | ^^^^^^^^^^^^^^^^^^ + = note: stack backtrace: + 0: miette::eyreish::ptr::Mut::<'_, ErrorContext>::deref_mut + at src/eyreish/ptr.rs:172:9: 172:32 + 1: miette::eyreish::error::::downcast_mut:: + at src/eyreish/error.rs:390:18: 390:46 + 2: main + at examples/downcast_mut.rs:15:38: 15:58 +```