Skip to content

enum_map macro can cause UB when `Enum` trait is incorrectly implemented

High severity GitHub Reviewed Published Jun 16, 2022 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

cargo enum-map (Rust)

Affected versions

>= 2.0.0-2, < 2.0.2

Patched versions

2.0.2

Description

Affected versions of this crate did not properly check the length of an enum when using enum_map! macro, trusting user-provided length.

When the LENGTH in the Enum trait does not match the array length in the EnumArray trait, this can result in the initialization of the enum map with uninitialized types, which in turn can allow an attacker to execute arbitrary code.

This problem can only occur with a manual implementation of the Enum trait, it will never occur for enums that use #[derive(Enum)].

Example code that triggers this vulnerability looks like this:

enum E {
    A,
    B,
    C,
}

impl Enum for E {
    const LENGTH: usize = 2;

    fn from_usize(value: usize) -> E {
        match value {
            0 => E::A,
            1 => E::B,
            2 => E::C,
            _ => unimplemented!(),
        }
    }

    fn into_usize(self) -> usize {
        self as usize
    }
}

impl<V> EnumArray<V> for E {
    type Array = [V; 3];
}

let _map: EnumMap<E, String> = enum_map! { _ => "Hello, world!".into() };

The flaw was corrected in commit b824e23 by putting LENGTH property on sealed trait for macro to read.

References

Published to the GitHub Advisory Database Jun 16, 2022
Reviewed Jun 16, 2022
Last updated Jun 13, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-rxhx-9fj6-6h2m

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.