CVE-2024-43806 – `rustix::fs::Dir` iterator with the `linux_raw` backend can cause memory explosion

https://notcve.org/view.php?id=CVE-2024-43806

26 Aug 2024 — Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `rustix::fs::Dir` using the `linux_raw` backend, it's possible for the iterator to "get stuck" when an IO error is encountered. Combined with a memory over-allocation issue in `rustix::fs::Dir::read_more`, this can cause quick and unbounded memory explosion (gigabytes in a few seconds if used on a hot path) and eventually lead to an OOM crash of the application. The symptoms were initially discovered in https://github.com/imsnif/bandwhich/i... • https://github.com/bytecodealliance/rustix/security/advisories/GHSA-c827-hfw6-qwvm • CWE-400: Uncontrolled Resource Consumption •