Project

General

Profile

Actions

Bug #19833

closed

Data race in crossbeam-deque

Added by Alexis Mousset over 3 years ago. Updated over 2 years ago.

Status:
Released
Priority:
N/A
Category:
Relay server or API
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

 error[A001]: Data race in crossbeam-deque

[2021-08-22T16:36:46.604Z]    ┌─ /srv/jenkins/workspace/dependencies_branches_rudder_6.1/relay/sources/relayd/Cargo.lock:37:1

[2021-08-22T16:36:46.604Z]    │

[2021-08-22T16:36:46.604Z] 37 │ crossbeam-deque 0.7.3 registry+https://github.com/rust-lang/crates.io-index

[2021-08-22T16:36:46.604Z]    │ --------------------------------------------------------------------------- security vulnerability detected

[2021-08-22T16:36:46.604Z]    │

[2021-08-22T16:36:46.604Z]    = ID: RUSTSEC-2021-0093

[2021-08-22T16:36:46.604Z]    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0093

[2021-08-22T16:36:46.604Z]    = In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.

[2021-08-22T16:36:46.604Z]      

[2021-08-22T16:36:46.604Z]      Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue.

[2021-08-22T16:36:46.604Z]      

[2021-08-22T16:36:46.604Z]      Credits to @kmaork for discovering, reporting and fixing the bug.

[2021-08-22T16:36:46.605Z]    = Announcement: https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw

[2021-08-22T16:36:46.605Z]    = Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1

[2021-08-22T16:36:46.605Z]    = crossbeam-deque v0.7.3

[2021-08-22T16:36:46.605Z]      ├── rayon v1.3.0

[2021-08-22T16:36:46.605Z]      │   └── criterion v0.3.2

[2021-08-22T16:36:46.605Z]      │       └── (dev) relayd v0.0.0-dev

[2021-08-22T16:36:46.605Z]      ├── rayon-core v1.7.0

[2021-08-22T16:36:46.605Z]      │   └── rayon v1.3.0 (*)

[2021-08-22T16:36:46.605Z]      └── tokio-threadpool v0.1.18

[2021-08-22T16:36:46.605Z]          ├── hyper v0.12.36

[2021-08-22T16:36:46.605Z]          │   ├── hyper-tls v0.3.2

[2021-08-22T16:36:46.605Z]          │   │   └── reqwest v0.9.24

[2021-08-22T16:36:46.605Z]          │   │       └── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── reqwest v0.9.24 (*)

[2021-08-22T16:36:46.605Z]          │   └── warp v0.1.22

[2021-08-22T16:36:46.605Z]          │       └── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          ├── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          ├── reqwest v0.9.24 (*)

[2021-08-22T16:36:46.605Z]          ├── tokio v0.1.22

[2021-08-22T16:36:46.605Z]          │   ├── hyper v0.12.36 (*)

[2021-08-22T16:36:46.605Z]          │   ├── inotify v0.7.0

[2021-08-22T16:36:46.605Z]          │   │   └── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── relayd v0.0.0-dev (*)

[2021-08-22T16:36:46.605Z]          │   ├── reqwest v0.9.24 (*)

[2021-08-22T16:36:46.605Z]          │   └── warp v0.1.22 (*)

[2021-08-22T16:36:46.605Z]          ├── tokio-fs v0.1.7

[2021-08-22T16:36:46.605Z]          │   └── tokio v0.1.22 (*)

[2021-08-22T16:36:46.605Z]          └── warp v0.1.22 (*)


Subtasks 1 (0 open1 closed)

Bug #19835: Data race in crossbeam-deque - 6.2ReleasedBenoît PECCATTEActions
Actions

Also available in: Atom PDF