fix(deps): update rust crate tracing to v0.1.40 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tracing (source)	dependencies	patch	0.1.37 → 0.1.40
tracing (source)	dev-dependencies	patch	0.1.37 → 0.1.40

---

use-after-free in tracing

GHSA-8f24-6m29-wm2r

More information

Details

The implementation of the Instrumented::into_inner method in affected versions of this crate contains undefined behavior due to incorrect use of std::mem::forget The function creates *const pointers to self, calls mem::forget(self), and then moves values out of those pointers using std::ptr::read.

// To manually destructure `Instrumented` without `Drop`, we
// move it into a ManuallyDrop and use pointers to its fields
let span: *const Span = &this.span;
let inner: *const ManuallyDrop<T> = &this.inner;
mem::forget(self);
// SAFETY: Those pointers are valid for reads, because `Drop` didn't
//         run, and properly aligned, because `Instrumented` isn't
//         `#[repr(packed)]`.
let _span = unsafe { span.read() };
let inner = unsafe { inner.read() };

However, the mem::forget documentation states:

Any resources the value manages, such as heap memory or a file handle, will
linger forever in an unreachable state. However, it does not guarantee that
pointers to this memory will remain valid.

This means that these pointers are no longer valid. This could result in a stack use-after-free if LLVM chooses to reuse self's stack slot for a rebinding after the call to std::mem::forget.

This undefined behavior has not been observed to cause miscompilation as of Rust 1.73.0. However, any use of this method with the affected versions of tracing are unsound.

The flaw was corrected in commit 20a1762 (PR #​2765) by replacing the use of std::mem::forget with std::mem::ManuallyDrop, ensuring that the stack slot is not reused and the pointers remain valid when they are read. The fix is
published in tracing v0.1.40. Affected versions have been yanked from crates.io.

Thanks to Taylor Cramer and Manish Goregaokar for finding and correcting
this issue!

Severity

Medium

References

• https://github.com/tokio-rs/tracing/pull/2765
• https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721
• https://github.com/tokio-rs/tracing/releases/tag/tracing-0.1.40
• https://rustsec.org/advisories/RUSTSEC-2023-0078.html
• https://github.com/advisories/GHSA-8f24-6m29-wm2r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tokio-rs/tracing (tracing)

v0.1.40: tracing 0.1.40

Compare Source

This release fixes a potential stack use-after-free in the
Instrument::into_inner method. Only uses of this method are affected by this
bug.

Fixed

• Use mem::ManuallyDrop instead of mem::forget in Instrument::into_inner
  (#​2765)

Thanks to @​cramertj and @​manishearth for finding and fixing this issue!

v0.1.39: tracing 0.1.39

Compare Source

This release adds several additional features to the tracing macros. In
addition, it updates the tracing-core dependency to v0.1.32 and
the tracing-attributes dependency to v0.1.27.

Added

• Allow constant field names in macros (#​2617)
• Allow setting event names in macros (#​2699)
• core: Allow ValueSets of any length (#​2508)

Changed

• tracing-attributes: updated to 0.1.27
• tracing-core: updated to 0.1.32
• attributes: Bump minimum version of proc-macro2 to 1.0.60 (#​2732)
• attributes: Generate less dead code for async block return type hint (#​2709)

Fixed

• Use fully qualified names in macros for items exported from std prelude
  (#​2621, #​2757)
• attributes: Allow [clippy::let_with_type_underscore] in macro-generated
  code ([#​2609])
• attributes: Allow unknown_lints in macro-generated code (#​2626)
• attributes: Fix a compilation error in #[instrument] when the "log"
  feature is enabled (#​2599)

Documented

• Add axum-insights to relevant crates. (#​2713)
• Fix link to RAI pattern crate documentation ([#​2612])
• Fix docs typos and warnings (#​2581)
• Add clippy-tracing to related crates (#​2628)
• Add tracing-cloudwatch to related crates (#​2667)
• Fix deadlink to tracing-etw repo (#​2602)

v0.1.38: tracing 0.1.38

Compare Source

This tracing release changes the Drop implementation for Instrumented
Futures so that the attached Span is entered when dropping the Future. This
means that events emitted by the Future's Drop implementation will now be
recorded within its Span. It also adds #[inline] hints to methods called in
the event! macro's expansion, for an improvement in both binary size and
performance.

Additionally, this release updates the tracing-attributes dependency to
v0.1.24, which updates the syn dependency to v2.x.x.
tracing-attributes v0.1.24 also includes improvements to the #[instrument]
macro; see the tracing-attributes 0.1.24 release notes for
details.

Added

• Instrumented futures will now enter the attached Span in their Drop
  implementation, allowing events emitted when dropping the future to occur
  within the span (#​2562)
• #[inline] attributes for methods called by the event! macros, making
  generated code smaller (#​2555)
• attributes: level argument to #[instrument(err)] and
  #[instrument(ret)] to override the level of
  the generated return value event (#​2335)
• attributes: Improved compiler error message when #[instrument] is added to a const fn
  (#​2418)

Changed

• tracing-attributes: updated to 0.1.24
• Removed unneeded cfg-if dependency (#​2553)
• attributes: Updated syn dependency to 2.0 (#​2516)

Fixed

• attributes: Fix clippy::unreachable warnings in #[instrument]-generated code (#​2356)
• attributes: Removed unused "visit" feature flag from syn dependency (#​2530)

Documented

• attributes: Documented default level for #[instrument(err)] (#​2433)
• attributes: Improved documentation for levels in #[instrument] (#​2350)

Thanks to @​nitnelave, @​jsgf, @​Abhicodes-crypto, @​LukeMathWalker, @​andrewpollack,
@​quad, @​klensy, @​davidpdrsn, @​dbidwell94, @​ldm0, @​NobodyXu, @​ilsv, and @​daxpedda
for contributing to this release!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.