Project

General

Profile

Actions

Bug #19833

closed

Data race in crossbeam-deque

Added by Alexis Mousset over 3 years ago. Updated over 2 years ago.

Status:
Released
Priority:
N/A
Category:
Relay server or API
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

 error[A001]: Data race in crossbeam-deque

[2021-08-22T16:36:46.604Z]    ┌─ /srv/jenkins/workspace/dependencies_branches_rudder_6.1/relay/sources/relayd/Cargo.lock:37:1

[2021-08-22T16:36:46.604Z]    │

[2021-08-22T16:36:46.604Z] 37 │ crossbeam-deque 0.7.3 registry+https://github.com/rust-lang/crates.io-index

[2021-08-22T16:36:46.604Z]    │ --------------------------------------------------------------------------- security vulnerability detected

[2021-08-22T16:36:46.604Z]    │

[2021-08-22T16:36:46.604Z]    = ID: RUSTSEC-2021-0093

[2021-08-22T16:36:46.604Z]    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0093

[2021-08-22T16:36:46.604Z]    = In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.

[2021-08-22T16:36:46.604Z]      

[2021-08-22T16:36:46.604Z]      Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue.

[2021-08-22T16:36:46.604Z]      

[2021-08-22T16:36:46.604Z]      Credits to @kmaork for discovering, reporting and fixing the bug.

[2021-08-22T16:36:46.605Z]    = Announcement: https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw

[2021-08-22T16:36:46.605Z]    = Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1

[2021-08-22T16:36:46.605Z]    = crossbeam-deque v0.7.3

[2021-08-22T16:36:46.605Z]      ├── rayon v1.3.0

[2021-08-22T16:36:46.605Z]      │   └── criterion v0.3.2

[2021-08-22T16:36:46.605Z]      │       └── (dev) relayd v0.0.0-dev

[2021-08-22T16:36:46.605Z]      ├── rayon-core v1.7.0

[2021-08-22T16:36:46.605Z]      │   └── rayon v1.3.0 (*)

[2021-08-22T16:36:46.605Z]      └── tokio-threadpool v0.1.18

[2021-08-22T16:36:46.605Z]          ├── hyper v0.12.36

[2021-08-22T16:36:46.605Z]          │   ├── hyper-tls v0.3.2

[2021-08-22T16:36:46.605Z]          │   │   └── reqwest v0.9.24

[2021-08-22T16:36:46.605Z]          │   │       └── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── reqwest v0.9.24 (*)

[2021-08-22T16:36:46.605Z]          │   └── warp v0.1.22

[2021-08-22T16:36:46.605Z]          │       └── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          ├── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          ├── reqwest v0.9.24 (*)

[2021-08-22T16:36:46.605Z]          ├── tokio v0.1.22

[2021-08-22T16:36:46.605Z]          │   ├── hyper v0.12.36 (*)

[2021-08-22T16:36:46.605Z]          │   ├── inotify v0.7.0

[2021-08-22T16:36:46.605Z]          │   │   └── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── reqwest v0.9.24 (*)

[2021-08-22T16:36:46.605Z]          │   └── warp v0.1.22 (*)

[2021-08-22T16:36:46.605Z]          ├── tokio-fs v0.1.7

[2021-08-22T16:36:46.605Z]          │   └── tokio v0.1.22 (*)

[2021-08-22T16:36:46.605Z]          └── warp v0.1.22 (*)


Subtasks 1 (0 open1 closed)

Bug #19835: Data race in crossbeam-deque - 6.2ReleasedBenoît PECCATTEActions
Actions #1

Updated by Alexis Mousset over 3 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset over 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder/pull/3842
Actions #3

Updated by Alexis Mousset over 3 years ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Vincent MEMBRÉ over 3 years ago

  • Fix check changed from To do to Checked
Actions #5

Updated by Vincent MEMBRÉ over 3 years ago

This bug has been fixed in Rudder 6.1.16 and 6.2.10 which were released today.

Actions #6

Updated by Alexis Mousset over 2 years ago

  • Target version changed from 6.1.16 to 6.2.16
Actions #7

Updated by Alexis Mousset over 2 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.2.16, 7.0.5 and 7.1.3 which were released today.

Actions

Also available in: Atom PDF