CVE-2020-35895

Step 1: Target Identification: Identify applications that use the vulnerable stack crate (versions before 0.3.1) and specifically employ the ArrayVec data structure.

Step 2: Input Manipulation: Craft a malicious input that triggers the out-of-bounds write during an element insertion operation. This involves providing an index or a sequence of insertions that, due to the flawed bounds checking, results in writing data outside the allocated buffer.

Step 3: Triggering the Vulnerability: Execute the crafted input within the application, causing the ArrayVec to attempt an out-of-bounds write.

Step 4: Memory Corruption: The out-of-bounds write overwrites adjacent memory, potentially corrupting other data structures, function pointers, or sensitive data.

Step 5: Exploitation (Payload Delivery): Depending on the memory layout and the overwritten data, the attacker can achieve various goals, such as arbitrary code execution by overwriting a function pointer, denial of service by corrupting critical data, or information disclosure by reading sensitive data.

The vulnerability stems from an integer overflow or incorrect bounds checking within the ArrayVec's element insertion logic. Specifically, when inserting elements into the ArrayVec, the code fails to properly validate the index or the resulting size after the insertion. This allows an attacker to write data beyond the allocated buffer, leading to a buffer overflow. The root cause is likely a missing or flawed check in the indexing or size calculation during element insertion, allowing an attacker to specify an index that results in an out-of-bounds write. This can overwrite adjacent memory, potentially corrupting other data structures, hijacking control flow, or leaking sensitive information. The specific function or logic flaw resides within the ArrayVec's insert or similar methods, where the index calculation or size validation is insufficient.