CVE-2024-27308: Mio Metal I/O library for Rust vulnerability linked to Named Pipes on Windows

A vulnerability has been discovered in the Mio Metal I/O library for the Rust programming language when using named pipes on Windows. Under certain situations, Mio returns invalid tokens that correspond to named pipes that have been deregistered from the Mio registry, which may lead to various negative impacts. This issue is specific to the Windows operating system and only affects the usage of named pipes. Other I/O resources are not compromised. The vulnerability has been addressed in Mio v.8.11, and affected versions range from v.7.2 to v.8.10. Tokio, a popular asynchronous runtime for Rust built on top of Mio, is also vulnerable when using these impacted Mio versions in combination with Tokio v1.30..

Exploit Details

The root of this vulnerability is found in the way Mio handles named pipes on the Windows operating system. In certain circumstances, Mio will return invalid tokens, which may lead to applications experiencing issues like warnings, crashes, or even use-after-free errors. For users of Tokio utilizing vulnerable Mio versions as well as Tokio v1.30., this vulnerability could result in a serious use-after-free error.

Here's a code snippet illustrating how the issue may occur when using named pipes with the Mio library:

use mio::Token;
use mio_named_pipes::NamedPipe;

fn main() {
    let mio_registry = mio::Registry::new();

    let named_pipe = NamedPipe::new("mypipe").unwrap();
    let token = Token::from();
    mio_registry.register(&named_pipe, token, mio::interest::READABLE);

    // More code that deals with the named pipe...

    // Vulnerability occurs when the named pipe is deregistered
    // and an invalid token is returned
    mio_registry.deregister(&named_pipe).unwrap();
}

Prevention Measures

Library users can work around this issue by detecting and ignoring invalid tokens, as shown in the code snippet below:

fn handle_mio_event(event: mio::event::Event) {
    let token = event.token();
    if is_invalid_token(token) {
        // Invalid token, ignore it and proceed safely
        println!("Invalid token detected: {:?}", token);
        return;
    }

    // Continue processing the event with a valid token
}

To patch the vulnerability, users should update their Mio library to v.8.11 or later. In addition, Tokio users should make sure they are not using vulnerable Mio versions in tandem with Tokio v1.30..

Original References

- Mio GitHub Repository
- Mio v.8.11 Release Notes
- Tokio GitHub Repository
- tokio-rs CVE-2024-27308 Advisory

Conclusion

CVE-2024-27308 is a notable vulnerability in the Mio Metal I/O library for Rust when using named pipes on Windows, as it may result in invalid tokens being returned and potential risks like use-after-free errors. This issue may also impact Tokio, a popular asynchronous runtime built on Mio, if it employs vulnerable Mio versions along with Tokio v1.30.. To mitigate this issue, users should update the Mio library and Tokio, if applicable, to the appropriate versions, and consider employing a workaround to detect and ignore invalid tokens.

Timeline

Published on: 03/06/2024 20:15:47 UTC
Last modified on: 03/06/2024 21:42:48 UTC