CVE-2020-35893

Step 1: Initialization: The vulnerable simple-slab crate is initialized and used to allocate memory for objects.

Step 2: Object Insertion: Objects are inserted into the slab, filling available slots.

Step 3: Triggering the Vulnerability: The remove() function is called to deallocate a specific object. The off-by-one error in the index calculation within remove() is triggered.

Step 4: Memory Leak/Uninitialized Memory: Due to the off-by-one error, either memory is leaked, or memory is freed that was never initialized or is still in use.

Step 5: Exploitation (Information Disclosure): If uninitialized memory is freed and then re-used, an attacker can potentially read the contents of the memory, revealing sensitive information. This is highly dependent on the memory contents at the time of the re-use.

Step 6: Exploitation (DoS): Repeated calls to remove() with the off-by-one error can lead to memory exhaustion and a denial-of-service condition, as the slab's memory management becomes corrupted.

The vulnerability stems from an off-by-one error within the remove() function of the simple-slab crate. This error occurs when calculating the index of an element to be removed, leading to incorrect memory deallocation. Specifically, the function attempts to free a memory region, but due to the off-by-one error, it either frees too little memory (leading to a leak) or, more critically, frees memory that hasn't been initialized, potentially exposing sensitive data or causing a crash when the freed memory is later accessed. The root cause is a flawed calculation within the remove() function's index arithmetic, leading to incorrect memory management operations. This can result in memory leaks, use-after-free conditions, and potentially information disclosure.