|
| 1 | +```toml |
| 2 | +[advisory] |
| 3 | +id = "RUSTSEC-0000-0000" |
| 4 | +package = "process_lock" |
| 5 | +date = "2025-05-16" |
| 6 | +url = "https://github.com/tickbh/ProcessLock/issues/1" |
| 7 | +informational = "unsound" |
| 8 | +# See https://docs.rs/rustsec/latest/rustsec/advisory/enum.Category.html |
| 9 | +cvss = "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" |
| 10 | +keywords = ["data race"] |
| 11 | +aliases = ["CVE-2025-48751"] |
| 12 | + |
| 13 | +[affected.functions] |
| 14 | +"process_lock::ProcessLock::unlock" = [">= 0.1.0"] |
| 15 | + |
| 16 | +[versions] |
| 17 | +patched = [] |
| 18 | +unaffected = [] |
| 19 | + |
| 20 | +[affected] |
| 21 | +``` |
| 22 | + |
| 23 | +# Unsound issue in unlock |
| 24 | + |
| 25 | +Our static analyzer find a potential unsound issue |
| 26 | +(data races) in ProcessLock, where the unlock fuction |
| 27 | +needs to be marked as unsafe explicitly, otherwise |
| 28 | +safe Rust can have data races when user unlock |
| 29 | +unexpectedly, you can check lock-api for details. |
| 30 | + |
| 31 | +## PoC |
| 32 | + |
| 33 | +A potentail PoC code is like: |
| 34 | + |
| 35 | +``` |
| 36 | +#[deny(unsafe_code)] |
| 37 | +use std::sync::Arc; |
| 38 | +use process_lock::*; |
| 39 | +use std::thread; |
| 40 | +use std::time::Duration; |
| 41 | +
|
| 42 | +
|
| 43 | +fn main() { |
| 44 | + let mut s1 = Arc::new(ProcessLock::new("test".parse().unwrap(), None).unwrap()); |
| 45 | + let mut s2 = s1.clone(); |
| 46 | + let h = std::thread::spawn(move || { |
| 47 | + if let Ok(mut guard) = s2.lock() { |
| 48 | + thread::sleep(Duration::from_secs(1)); |
| 49 | + // data race 1 |
| 50 | + } |
| 51 | + }); |
| 52 | + thread::sleep(Duration::from_secs(1)); |
| 53 | + if let Ok(_) = s1.unlock(){ |
| 54 | + if let Ok(guard2) = s1.lock(){ |
| 55 | + println!("data races"); |
| 56 | + // data race 2 |
| 57 | + } |
| 58 | + } |
| 59 | + h.join().unwrap(); |
| 60 | +} |
| 61 | +``` |
0 commit comments