CVE-2020-35891

Step 1: Initialization: A compact::Vec is initialized within a Rust program, potentially storing data.

Step 2: Triggering the Vulnerability: The remove() function is called on the compact::Vec with specific parameters that cause the double-free condition. This likely involves removing elements in a specific order or with specific indices.

Step 3: Double Free: The remove() function incorrectly frees the same memory region twice. This corrupts the heap and potentially overwrites other data.

Step 4: Memory Corruption: The double free corrupts the heap, potentially overwriting other data structures, including function pointers.

Step 5: Exploitation (Optional): An attacker can then leverage the memory corruption to overwrite critical data, such as function pointers, to redirect program execution to attacker-controlled code, achieving arbitrary code execution.

The vulnerability lies within the compact::Vec implementation of the ordnung crate. The remove() function, when used under specific conditions, fails to correctly manage memory deallocation. Specifically, it can lead to a double-free scenario, where the same memory region is freed twice. This occurs due to a logic error in how the vector's internal data structures are handled during element removal. The flaw allows an attacker to manipulate the vector's internal state, leading to memory corruption. This corruption can then be leveraged to overwrite critical data structures, including function pointers, leading to arbitrary code execution. The root cause is a flawed implementation of the remove() function, which does not properly track or manage the memory associated with removed elements, allowing for a double free.