Mozilla Thin Vec Double-Free and Use-After-Free Vulnerability

A double-free and use-after-free vulnerability has been identified in the `thin_vec` crate, specifically in the `IntoIter::drop` and `ThinVec::clear` functions. This vulnerability allows for memory corruption using only safe Rust code, without the need for `unsafe` blocks. The issue arises when a panic occurs during the deallocation of elements, preventing the length of the vector from being properly reset. As a result, the vector is dropped again during stack unwinding, leading to a double-free condition and the potential for use-after-free scenarios. This vulnerability has been confirmed to cause undefined behavior through the use of Miri and AddressSanitizer.

Impact

Exploitation of this vulnerability causes a double-free condition and use-after-free scenario, leading to memory corruption. When combined with `Box<dyn Trait>` types, this vulnerability can be exploited to achieve arbitrary code execution by hijacking the vtable of a freed object.

Reproduction

The vulnerability can be reproduced by creating a `ThinVec` and pushing elements onto it, including one that will trigger a panic during the drop process. For the `IntoIter::drop` vulnerability, an iterator can be created and dropped before it is fully consumed, causing a panic that interrupts the normal deallocation process. For the `ThinVec::clear` vulnerability, the `clear()` method can be called while an element that causes a panic is still in the process of being dropped.

Remediation

Users can update to version 0.2.16 of the `thin_vec` crate, where this vulnerability has been patched.