Module cve_rs::buffer_overflow

A memory-safe buffer overflow.

We use a soundness hole in lifetimes to cast an arbitrary lifetime to ’static. See https://github.com/rust-lang/rust/issues/25860.

We allocate a 10-byte slice on the heap, full of zeroes, then use the soundness hole to obtain a mutable, ’static reference to it, and drop it. We then allocate a new 5-byte slice on the heap, full of ones, and print the contents of it and the old slice. We then write 3s to the original 10-byte slice and once again print the contents of both slices, proving that we wrote out of bounds on the 5-byte slice.

This completely memory safe, not-an-exploit works because the two smart pointers to two different buffers get placed at the same location. The first gets dropped, but we maintain a reference to it. When we create the second smart pointer, it gets placed at the same location the first pointer used to be at, meaning our reference now points to the new buffer. The reference stores the size of the old buffer - 10 bytes - meaning when we write to all the bytes from our reference, we write 10 bytes to our 5 byte buffer.

Functions

• buffer_overflow
  We create a ’static reference to a dropped, 10-byte buffer, then create a 5-byte buffer in its place. By writing to the buffer from our old reference, Rust thinks the buffer is still 10 bytes, and writes 10 bytes to our 5-byte buffer.