CVE-2020-35907

Description

Affected versions of the crate used a `UnsafeCell` in thread-local storage to return a noop waker reference, assuming that the reference would never be returned from another thread. This resulted in a segmentation fault crash if `Waker::wake_by_ref()` was called on a waker returned from another thread due to it attempting to dereference a pointer that wasn't accessible from the main thread. Reproduction Example (from issue): ```rust use futures_task::noop_waker_ref; fn main() { let waker = std::thread::spawn(|| noop_waker_ref()).join().unwrap(); waker.wake_by_ref(); } ``` The flaw was corrected by using a `OnceCell::Lazy<>` wrapper around the noop waker instead of thread-local storage.

Affected packages (2)

• crates.io/futures-taskfrom 0, < 0.3.5
• crates.io/futures-task>= 0.0.0-0, < 0.3.5

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-35907
• PATCHhttps://crates.io/crates/futures-task
• PATCHhttps://github.com/rust-lang/futures-rs
• WEBhttps://github.com/rust-lang/futures-rs/issues/2091
• WEBhttps://rustsec.org/advisories/RUSTSEC-2020-0061.html