Tokio slab Out-of-Bounds Access Vulnerability in get_disjoint_mut Method

A vulnerability in the Tokio slab library version 0.4.10 allows out-of-bounds access in the get_disjoint_mut method. The issue arises because the method improperly verifies if indices are within the slab's capacity rather than its actual length, leading to potential access of uninitialized memory. This flaw can cause undefined behavior or crashes.

Impact

Exploitation of this vulnerability could result in out-of-bounds memory access, allowing read or write operations to uninitialized memory, which could lead to undefined behavior or application crashes.

Reproduction

The vulnerability can be reproduced by using the get_disjoint_mut method with indices that exceed the actual length of the slab. For example, after inserting two elements into a slab with a capacity of ten, requesting disjoint mutable access for indices 0, 1, and 5 will trigger the out-of-bounds access error.

Remediation

Users can upgrade to Tokio slab version 0.4.11 or later, or avoid using the get_disjoint_mut method with indices that may exceed the slab's current length.