-
Notifications
You must be signed in to change notification settings - Fork 4
/
0012-ordnung.rs
100 lines (82 loc) · 3.52 KB
/
0012-ordnung.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
/*!
```rudra-poc
[target]
crate = "ordnung"
version = "0.0.1"
[report]
issue_url = "https://github.com/maciejhirsz/ordnung/issues/8"
issue_date = 2020-09-03
rustsec_url = "https://github.com/RustSec/advisory-db/pull/374"
rustsec_id = "RUSTSEC-2020-0038"
[[bugs]]
analyzer = "Manual"
guide = "UnsafeDestructor"
bug_class = "Other"
bug_count = 2
rudra_report_locations = []
[[bugs]]
analyzer = "UnsafeDataflow"
bug_class = "PanicSafety"
rudra_report_locations = ["src/compact.rs:144:5: 156:6"]
```
!*/
#![forbid(unsafe_code)]
mod boilerplate;
use ordnung::compact::Vec as CompactVec;
struct DropDetector(u32);
impl Drop for DropDetector {
fn drop(&mut self) {
println!("Dropping {}", self.0);
}
}
fn main() {
boilerplate::init();
#[cfg(target_pointer_width = "32")]
{
println!("1. OOB is possible because MASK_HI is 0 in 32-bit build.");
boilerplate::trace_alloc(move || {
let mut vec: Vec<u8> = Vec::with_capacity(1);
vec.push(1);
// https://github.com/maciejhirsz/ordnung/blob/e1f1e3bda332dae33b76ca4be00dba46265e4cbe/src/compact.rs#L281-L282
// len / cap packing doesn't work in 32-bit environment and cap will be always zero.
// Admittedly, this is not a real security threat as the code will scream and panic in the debug build.
// However, it is still a soundness issue since it allows UB in safe Rust code.
// This crate doesn't seem to support 32-bit, so it would be better to make it an error at the compile time.
let mut compact_vec = CompactVec::from(vec);
println!("pointer: {:p}", compact_vec.as_ptr());
println!("len: {}", compact_vec.len());
println!("capacity: {}", compact_vec.capacity());
// https://github.com/maciejhirsz/ordnung/blob/e1f1e3bda332dae33b76ca4be00dba46265e4cbe/src/compact.rs#L48
// Allows us to push elements over the boundary because `len != cap`
for i in 0..4 {
compact_vec.push(i);
println!("Pushed {}", i);
}
println!("len: {}", compact_vec.len());
println!("capacity: {}", compact_vec.capacity());
// cap is 0, so no deallocation
});
}
#[cfg(target_pointer_width = "64")]
{
println!("2. Allocator layout mismatch in 64-bit build with large capacity.");
boilerplate::trace_alloc(|| {
// https://github.com/maciejhirsz/ordnung/blob/e1f1e3bda332dae33b76ca4be00dba46265e4cbe/src/compact.rs#L35-L37
// Allocation is done with capacity `(1 << 32) + 4`,
let _ = CompactVec::<u8>::with_capacity((1 << 32) + 4);
// https://github.com/maciejhirsz/ordnung/blob/e1f1e3bda332dae33b76ca4be00dba46265e4cbe/src/compact.rs#L185-L193
// but deallocation is done with capacity `4`.
// This may corrupt the internal state of the allocator, which can cause the memory safety violation.
});
}
{
println!("3. `Vec::remove()` causes double-free when panicking.");
let mut compact_vec = CompactVec::with_capacity(32);
compact_vec.push(DropDetector(123));
compact_vec.push(DropDetector(456));
// https://github.com/maciejhirsz/ordnung/blob/e1f1e3bda332dae33b76ca4be00dba46265e4cbe/src/compact.rs#L139-L152
// Panic in line 144 frees a temporary vector created in line 142,
// and the same vector is freed again when `compact_vec` is dropped while stack unwinding.
compact_vec.remove(123);
}
}