Bug #19833: Data race in crossbeam-deque - Rudder - Issue Tracker

Actions

Copy link

Bug #19833

closed

Data race in crossbeam-deque

Added by Alexis Mousset over 2 years ago. Updated over 1 year ago.

Status:

Released

Priority:

N/A

Assignee:

Benoît PECCATTE

Category:

Relay server or API

Target version:

6.2.16

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

To do

Fix check:

Checked

Regression:

Description

 error[A001]: Data race in crossbeam-deque

[2021-08-22T16:36:46.604Z]    ┌─ /srv/jenkins/workspace/dependencies_branches_rudder_6.1/relay/sources/relayd/Cargo.lock:37:1

[2021-08-22T16:36:46.604Z]    │

[2021-08-22T16:36:46.604Z] 37 │ crossbeam-deque 0.7.3 registry+https://github.com/rust-lang/crates.io-index

[2021-08-22T16:36:46.604Z]    │ --------------------------------------------------------------------------- security vulnerability detected

[2021-08-22T16:36:46.604Z]    │

[2021-08-22T16:36:46.604Z]    = ID: RUSTSEC-2021-0093

[2021-08-22T16:36:46.604Z]    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0093

[2021-08-22T16:36:46.604Z]    = In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.

[2021-08-22T16:36:46.604Z]      

[2021-08-22T16:36:46.604Z]      Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue.

[2021-08-22T16:36:46.604Z]      

[2021-08-22T16:36:46.604Z]      Credits to @kmaork for discovering, reporting and fixing the bug.

[2021-08-22T16:36:46.605Z]    = Announcement: https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw

[2021-08-22T16:36:46.605Z]    = Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1

[2021-08-22T16:36:46.605Z]    = crossbeam-deque v0.7.3

[2021-08-22T16:36:46.605Z]      ├── rayon v1.3.0

[2021-08-22T16:36:46.605Z]      │   └── criterion v0.3.2

[2021-08-22T16:36:46.605Z]      │       └── (dev) relayd v0.0.0-dev

[2021-08-22T16:36:46.605Z]      ├── rayon-core v1.7.0

[2021-08-22T16:36:46.605Z]      │   └── rayon v1.3.0 (*)

[2021-08-22T16:36:46.605Z]      └── tokio-threadpool v0.1.18

[2021-08-22T16:36:46.605Z]          ├── hyper v0.12.36

[2021-08-22T16:36:46.605Z]          │   ├── hyper-tls v0.3.2

[2021-08-22T16:36:46.605Z]          │   │   └── reqwest v0.9.24

[2021-08-22T16:36:46.605Z]          │   │       └── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── reqwest v0.9.24 (*)

[2021-08-22T16:36:46.605Z]          │   └── warp v0.1.22

[2021-08-22T16:36:46.605Z]          │       └── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          ├── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          ├── reqwest v0.9.24 (*)

[2021-08-22T16:36:46.605Z]          ├── tokio v0.1.22

[2021-08-22T16:36:46.605Z]          │   ├── hyper v0.12.36 (*)

[2021-08-22T16:36:46.605Z]          │   ├── inotify v0.7.0

[2021-08-22T16:36:46.605Z]          │   │   └── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── reqwest v0.9.24 (*)

[2021-08-22T16:36:46.605Z]          │   └── warp v0.1.22 (*)

[2021-08-22T16:36:46.605Z]          ├── tokio-fs v0.1.7

[2021-08-22T16:36:46.605Z]          │   └── tokio v0.1.22 (*)

[2021-08-22T16:36:46.605Z]          └── warp v0.1.22 (*)

Subtasks 1 (0 open — 1 closed)