You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello fellow Rustacean,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.
util::read_spv() method creates an uninitialized buffer and passes it to user-provided Read implementation. This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory).
This part from the Read trait documentation explains the issue:
It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit<T>) is not safe, and can lead to undefined behavior.
How to fix the issue?
The Naive & safe way to fix the issue is to always zero-initialize a buffer before lending it to a user-provided Read implementation. Note that this approach will add runtime performance overhead of zero-initializing the buffer.
As of Feb 2021, there is not yet an ideal fix that works with no performance overhead. Below are links to relevant discussions & suggestions for the fix.
This is an acceptable risk. As stated in the docs for the trait, read implementations should not attempt to read the data passed to them. If they do, that implementation needs to be fixed. If this crate was more sensitive (like an http framework or crypto lib) I’d probably clear it to be safe, but given where and how this code is used, I think it’s fine.
Data leakage is not the only consequence of using an uninitialized memory. The Rust compiler optimizes the code based on the assumption that the buffer is fully initialized. Thus, an uninitialized buffer can lead to a miscompilation and breaks the Rust's safety guarantee ("safe Rust code never causes memory safety error"). Such examples are provided in Ralf Jung's blog post "What The Hardware Does" is not What Your Program Does: Uninitialized Memory and "But how bad are undefined values really?" section of RFC 2930.
Hello fellow Rustacean,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.
Issue Description
skulpin/skulpin-renderer/src/util.rs
Lines 38 to 46 in 4a2ae27
util::read_spv()
method creates an uninitialized buffer and passes it to user-providedRead
implementation. This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory).This part from the
Read
trait documentation explains the issue:How to fix the issue?
The Naive & safe way to fix the issue is to always zero-initialize a buffer before lending it to a user-provided
Read
implementation. Note that this approach will add runtime performance overhead of zero-initializing the buffer.As of Feb 2021, there is not yet an ideal fix that works with no performance overhead. Below are links to relevant discussions & suggestions for the fix.
The text was updated successfully, but these errors were encountered: