Headline
GHSA-77h3-w9rx-hj3q: User-defined implementations of the safe trait scratchpad::Tracking can cause heap buffer overflows
The get and set methods of the public trait scratchpad::Tracking interact with unsafe code regions in the crate, and they influence the computation of addresses returned as raw pointers. However, the trait itself is not marked as unsafe, meaning users may provide custom implementations under the assumption that the crate upholds all safety guarantees.
This becomes problematic because even safe implementations of get and set-written without using any unsafe code-can still result in ill-formed raw pointers. These pointers may later be dereferenced within safe APIs of the crate (e.g., marker::MarkerBack::allocate_slice_copy), potentially leading to arbitrary memory access or heap buffer overflows.
According to the penultimate commit, the crate is in maintenance mode awaiting a cleanup that will reduce the area of unsafe code. Note that the last commits to the repository are from 4 years ago.
The get and set methods of the public trait scratchpad::Tracking interact with unsafe code regions in the crate, and they influence the computation of addresses returned as raw pointers. However, the trait itself is not marked as unsafe, meaning users may provide custom implementations under the assumption that the crate upholds all safety guarantees.
This becomes problematic because even safe implementations of get and set-written without using any unsafe code-can still result in ill-formed raw pointers. These pointers may later be dereferenced within safe APIs of the crate (e.g., marker::MarkerBack::allocate_slice_copy), potentially leading to arbitrary memory access or heap buffer overflows.
According to the penultimate commit, the crate is in maintenance mode awaiting a cleanup that will reduce the area of unsafe code. Note that the last commits to the repository are from 4 years ago.
References
- okready/scratchpad#2
- https://rustsec.org/advisories/RUSTSEC-2025-0049.html