smallbitvec Heap Buffer Overflow Vulnerability via Integer Overflow in Capacity Calculation

A heap buffer overflow vulnerability has been identified in the smallbitvec library for Rust, specifically in versions 1.0.1 prior to 2.6.0. The issue arises from an integer overflow in the internal capacity calculation, which can lead to an undersized heap allocation. This flaw allows for memory corruption through safe APIs, without the need for unsafe code from the caller. The vulnerability is rooted in unchecked arithmetic that can cause the allocation size to be significantly smaller than required, creating a mismatch between the logical and actual buffer sizes. Subsequent safe API calls can then manipulate this corrupted metadata, eventually accessing memory out-of-bounds and causing undefined behavior.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, causing memory corruption that can be exploited to execute arbitrary code or cause a crash. The buffer overflow occurs through safe APIs, bypassing Rust's safety guarantees.

Reproduction

The vulnerability can be reproduced by creating a SmallBitVec instance with a capacity close to usize::MAX. This triggers the integer overflow in the capacity calculation, resulting in an undersized allocation. Safe API calls that manipulate the bit vector will then access memory out-of-bounds, causing a heap buffer overflow. This can be done using the 'from_elem' method or by reserving a large capacity after pushing an element.

Remediation

Users should upgrade to smallbitvec version 2.6.1 or later, where this vulnerability has been fixed.