You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the unique reclaim path of BytesMut::reserve, the condition
if v_capacity >= new_cap + offset
uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.
This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.
PoC
use bytes::*;fnmain(){letmut a = BytesMut::from(&b"hello world"[..]);letmut b = a.split_off(5);// Ensure b becomes the unique owner of the backing storagedrop(a);// Trigger overflow in new_cap + offset inside reserve
b.reserve(usize::MAX - 6);// This call relies on the corrupted cap and may cause UB & HBO
b.put_u8(b'h');}
Workarounds
Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: executor/Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path executor/Cargo.toml --package bytes@1.11.0 --precise 1.11.1
Updating crates.io index
error: failed to get `wasmparser` as a dependency of package `genvm v0.1.0 (/tmp/renovate/repos/github/genlayerlabs/genvm/executor)`
Caused by:
failed to load source for dependency `wasmparser`
Caused by:
Unable to update /tmp/renovate/repos/github/genlayerlabs/genvm/executor/third-party/wasm-tools/crates/wasmparser
Caused by:
failed to read `/tmp/renovate/repos/github/genlayerlabs/genvm/executor/third-party/wasm-tools/crates/wasmparser/Cargo.toml`
Caused by:
No such file or directory (os error 2)
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You have signed the CLA already but the status is still pending? Let us recheck it.
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You have signed the CLA already but the status is still pending? Let us recheck it.
To trigger a single review, invoke the @coderabbitai review command.
You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.
🔍 Trigger a full review
Comment @coderabbitai help to get the list of available commands and usage tips.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.11.0→1.11.1Integer overflow in
BytesMut::reserveRUSTSEC-2026-0007
More information
Details
In the unique reclaim path of
BytesMut::reserve, the conditionif v_capacity >= new_cap + offsetuses an unchecked addition. When
new_cap + offsetoverflowsusizein release builds, this condition may incorrectly pass, causingself.capto be set to a value that exceeds the actual allocated capacity. Subsequent APIs such asspare_capacity_mut()then trust this corruptedcapvalue and may create out-of-bounds slices, leading to UB.This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.
PoC
Workarounds
Users of
BytesMut::reserveare only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.Severity
Unknown
References
This data is provided by OSV and the Rust Advisory Database (CC0 1.0).
Release Notes
tokio-rs/bytes (bytes)
v1.11.1Compare Source
BytesMut::reserveConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.