arr! unsoundness

[jswrenn]

The arr! macro silently and unsoundly extends arbitrary lifetimes to 'static (playground):

fn unsound_lifetime_extension<'a, A>(a: &'a A) -> &'static A {
  arr![&A; a][0]
}

[novacrazy]

Hmm. This is more problematic than I expected.

What's happening is that &A being sent into a macro is not turned into a concrete type until the macro has generated the code. For the above, it generates this code:

unsafe { transmute::<[&A; 1], GenericArray<&A, 1>>([a]) }

and then the lifetimes are filled in on either side of the transmute using 'a and 'static via lifetime elusion, but transmuting does allow it to be changed incorrectly.

What I need to figure out is how to ensure &'_ A == &'_ A without disrupting lifetime elusion entirely.

For example,

type T = $T;
unsafe { transmute::<[T; 1], GenericArray<T, 1>>([a]) }

ensures that the input and output element types are the exact same, including lifetimes. However, it disables lifetime elusion entirely, so no structs with lifetimes can be passed unless the type includes the (often anonymous) lifetime. So that's a no-go.

Furthermore, because const-generics aren't a thing yet, or else this library wouldn't still be used, I cannot perform the transmute within a closed-form function that would otherwise ensure the input and output element types are the same.

[Shnatsel]

Heads up: this issue has been included in the RustSec advisory database. It will be surfaced by tools such as cargo-audit or cargo-deny from now on for affected versions of this crate.

[greyblake]

@Shnatsel
FYI, @fizyk20 just released patched old versions:

• 0.12.4
• 0.13.3
• 0.11.2
• 0.10.1
• 0.9.1

See:

• https://crates.io/crates/generic-array/versions
• Fixed lifetime unsoundness in arr macro. #99 (comment)

[fizyk20]

Still working on 0.8.4 (0.8.3 is also vulnerable), but it looks like crates.io is having some DNS issues (can't resolve static.crates.io... or is it just me?).

EDIT: Nevermind, looks like it was just me. I switched to different DNS servers and managed to push 0.8.4, too.

[greyblake]

@fizyk20 Looks good to me!

Thank you!
I opened PR to RustSec: rustsec/advisory-db#789

[mbrubeck]

PSA: Now that the fix has been backported to all affected release branches, anyone affected by this can fix it by running:

cargo update -p generic-array

If your dependencies use multiple versions of generic-array, you may need to specify the exact version that you want to upgrade from. For example:

cargo update -p generic-array:0.12.3