Skip to content

lru: add advisory for Stacked Borrows violation #2576

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
djc merged 1 commit into from
Jan 7, 2026
Merged

lru: add advisory for Stacked Borrows violation #2576

djc merged 1 commit into from
Jan 7, 2026

Conversation

@paolobarbolini
Copy link
Contributor

@paolobarbolini paolobarbolini commented Jan 7, 2026

Adds the advisory for jeromefroe/lru-rs#224.

@jeromefroe let us know if you are ok with this.

@djc djc merged commit a433b78 into rustsec:main Jan 7, 2026
1 check passed
@alamb
Copy link
Contributor

alamb commented Jan 7, 2026
edited
Loading

Can someone please update the advisory to explain more about what the impact of the issue to help downstream users evaluate if they are affected by the issue? Specifically, the PR jeromefroe/lru-rs#224 says

This invalidates the pointer held within KeyWrapper by the HashMap, but the HashMap still holds and accesses it on subsequent reads or writes to the LRU, which is unsound.

What possible exploit / corruption is possible due to this unsoundness? The PR points that MIRI calls out a potential issue, but the implications are hard to understand.

Is the idea that anything using IterMut on an LRU cache to iterate and mutate the contents can cause memory corruption?

@paolobarbolini
Copy link
Contributor Author

paolobarbolini commented Jan 7, 2026

AFAIK (not a Stacked Borrows expert) on current compilers this should not lead to UB, which is why I marked it as informational = "unsound".

@alamb
Copy link
Contributor

alamb commented Jan 7, 2026

AFAIK (not a Stacked Borrows expert) on current compilers this should not lead to UB, which is why I marked it as informational = "unsound".

I see -- if that is the case, then I think this is another example of contributing to a low signal to noise ration in the advisory database:

@alamb alamb mentioned this pull request Jan 7, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@paolobarbolini @alamb @djc