Miggo Logo

CVE-2021-25908: Double free in fil-ocl

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.55713%
Published
8/25/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
fil-oclrust>= 0.12.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in the From<[E; $len]> implementation shown in event.rs lines 1037-1050. The code uses ptr::read to transfer ownership of array elements to the EventList, then calls mem::forget on the original array. However, if a panic occurs in the user-provided Into<Event> conversion during the loop, the mem::forget never executes, causing the original array to be dropped normally. This results in double-free of elements that were already moved via ptr::read and potentially dropped during stack unwinding. The GitHub issue (#194) specifically demonstrates this scenario and confirms the lack of panic safety mechanisms like ManuallyDrop.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** *il-o*l *r*t* t*rou** ****-**-** *or Rust. *rom<*v*ntList> **n l*** to * *ou*l* *r**.

Reasoning

T** vuln*r**ility o**urs in t** *rom<[*; $l*n]> impl*m*nt*tion s*own in `*v*nt.rs` lin*s ****-****. T** *o** us*s `ptr::r***` to tr*ns**r own*rs*ip o* *rr*y *l*m*nts to t** `*v*ntList`, t**n **lls `m*m::*or**t` on t** ori*in*l *rr*y. *ow*v*r, i* * p*