{"ecosystem":"cargo","package":"tracing","version":null,"bugs":[{"id":885,"ecosystem":"cargo","package_name":"tracing","affected_version":"0.1.38-0","fixed_version":"0.1.40","bug_id":"osv:RUSTSEC-2023-0078","title":"Potential stack use-after-free in `Instrumented::into_inner`","description":"The implementation of the [`Instrumented::into_inner`] method in affected\nversions of this crate contains undefined behavior due to incorrect use of\n[`std::mem::forget`] The function creates `*const` pointers to `self`, calls\n[`mem::forget(self)`][`std::mem::forget`], and then moves values out of those\npointers using [`std::ptr::read`].\n\n```rust\n// To manually destructure `Instrumented` without `Drop`, we\n// move it into a ManuallyDrop and use pointers to its fields\nlet span: *const Span = &this.span;\nlet inner: *const ManuallyDrop<T> = &this.inner;\nmem::forget(self);\n// SAFETY: Those pointers are valid for reads, because `Drop` didn't\n//         run, and properly aligned, because `Instrumented` isn't\n//         `#[repr(packed)]`.\nlet _span = unsafe { span.read() };\nlet inner = unsafe { inner.read() };\n```\n\nHowever, the [`mem::forget` documentation][`std::mem::forget`] states:\n\n> Any resources the value manages, such as heap memory or a file handle, will\n> linger forever in an unreachable state. **However, it does not guarantee that\n> pointers to this memory will remain valid.**\n\nThis means that these pointers are no longer valid. This could result in a stack\nuse-after-free if LLVM chooses to reuse `self`'s stack slot for a rebinding\nafter the call to [`std::mem::forget`].\n\nThis undefined behavior has not been observed to cause miscompilation as of Rust\n1.73.0. However, any use of this method with the affected versions of `tracing`\nare unsound.\n\nThe flaw was corrected in commit [20a1762] ([PR #2765]) by replacing the use of\n[`std::mem::forget`] with `std::mem::ManuallyDrop`, ensuring that the stack slot\nis not reused and the pointers remain valid when they are read. The fix is\npublished in `tracing` [v0.1.40]. Affected versions have been yanked from\ncrates.io.\n\nThanks to [Taylor Cramer] and [Manish Goregaokar] for finding and correcting\nthis issue!\n\n[`Instrumented::into_inner`]:\n    https://docs.rs/tracing/latest/tracing/instrument/struct.Instrumented.html#method.into_inner\n[`std::mem::forget`]: https://doc.rust-lang.org/std/mem/fn.forget.html\n[`std::ptr::read`]:\n    https://doc.rust-lang.org/std/primitive.pointer.html#method.read-1\n[20a1762]:\n    https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721\n[PR #2765]: https://github.com/tokio-rs/tracing/pull/2765\n[v0.1.40]: https://crates.io/crates/tracing/0.1.40\n[Taylor Cramer]: https://github.com/cramertj\n[Manish Goregaokar]: https://github.com/manishearth","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/tracing","labels":["GHSA-8f24-6m29-wm2r"],"created_at":"2026-04-19 04:32:04.214564+00:00","updated_at":"2026-04-19 04:32:04.214564+00:00"},{"id":884,"ecosystem":"cargo","package_name":"tracing","affected_version":"0.1.38","fixed_version":"0.1.40","bug_id":"osv:GHSA-8f24-6m29-wm2r","title":"use-after-free in tracing","description":"The implementation of the [`Instrumented::into_inner`] method in affected versions of this crate contains undefined behavior due to incorrect use of [`std::mem::forget`] The function creates `*const` pointers to `self`, calls [`mem::forget(self)`][`std::mem::forget`], and then moves values out of those pointers using [`std::ptr::read`].\n\n```rust\n// To manually destructure `Instrumented` without `Drop`, we\n// move it into a ManuallyDrop and use pointers to its fields\nlet span: *const Span = &this.span;\nlet inner: *const ManuallyDrop<T> = &this.inner;\nmem::forget(self);\n// SAFETY: Those pointers are valid for reads, because `Drop` didn't\n//         run, and properly aligned, because `Instrumented` isn't\n//         `#[repr(packed)]`.\nlet _span = unsafe { span.read() };\nlet inner = unsafe { inner.read() };\n```\n\nHowever, the [`mem::forget` documentation][`std::mem::forget`] states:\n\n> Any resources the value manages, such as heap memory or a file handle, will\n> linger forever in an unreachable state. **However, it does not guarantee that\n> pointers to this memory will remain valid.**\n\nThis means that these pointers are no longer valid. This could result in a stack use-after-free if LLVM chooses to reuse `self`'s stack slot for a rebinding after the call to [`std::mem::forget`].\n\nThis undefined behavior has not been observed to cause miscompilation as of Rust 1.73.0. However, any use of this method with the affected versions of `tracing` are unsound.\n\nThe flaw was corrected in commit [20a1762] ([PR #2765]) by replacing the use of [`std::mem::forget`] with `std::mem::ManuallyDrop`, ensuring that the stack slot is not reused and the pointers remain valid when they are read. The fix is\npublished in `tracing` [v0.1.40]. Affected versions have been yanked from crates.io.\n\nThanks to [Taylor Cramer] and [Manish Goregaokar] for finding and correcting\nthis issue!\n\n[`Instrumented::into_inner`]:\n    https://docs.rs/tracing/latest/tracing/instrument/struct.Instrumented.html#method.into_inner\n[`std::mem::forget`]: https://doc.rust-lang.org/std/mem/fn.forget.html\n[`std::ptr::read`]:\n    https://doc.rust-lang.org/std/primitive.pointer.html#method.read-1\n[20a1762]:\n    https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721\n[PR #2765]: https://github.com/tokio-rs/tracing/pull/2765\n[v0.1.40]: https://crates.io/crates/tracing/0.1.40\n[Taylor Cramer]: https://github.com/cramertj\n[Manish Goregaokar]: https://github.com/manishearth\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/tokio-rs/tracing/pull/2765","labels":["RUSTSEC-2023-0078"],"created_at":"2026-04-19 04:32:04.213445+00:00","updated_at":"2026-04-19 04:32:04.213445+00:00"}],"total":2,"_cache":"hit"}