CVE-2020-36444: Data races in async-coap

August 25, 2021

An issue was discovered in the async-coap crate through 2020-12-08 for Rust. Affected versions of this crate implement Send/Sync for ArcGuard<RC, T> with no trait bounds on RC. This allows users to send RC: !Send to other threads and also allows users to concurrently access Rc: !Sync from multiple threads.

This can result in memory corruption from data race or other undefined behavior caused by sending T: !Send to other threads (e.g. dropping MutexGuard<T> in another thread that didn’t lock its mutex).

References

github.com/advisories/GHSA-9j8q-m9x5-9g6j
github.com/google/rust-async-coap
github.com/google/rust-async-coap/issues/33
nvd.nist.gov/vuln/detail/CVE-2020-36444
raw.githubusercontent.com/rustsec/advisory-db/main/crates/async-coap/RUSTSEC-2020-0124.md
rustsec.org/advisories/RUSTSEC-2020-0124.html

Code Behaviors & Features

Detect and mitigate CVE-2020-36444 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →