-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsound implementation of transmute_buf
and value_u32_list
#11
Comments
Misaligned pointer reference could also happen in following places: Line 122 in caf8d1e
In StructItem::next_item() , the code at line 122 would cast struct_block which was u8 to u32. It created a misaligned pointer, then deref it at the same line.
https://github.com/ababo/dtb/blob/caf8d1ec910c405ef31a8bdf7fee374e73cffc66/src/reader.rs#L85C26-L85C26 Lines 313 to 314 in caf8d1e
In Reader::get_header() , the code at line 313 would cast blob which was u8 to Header which was u32. It created a misaligned pointer, then deref it at the next line.
Lines 361 to 362 in caf8d1e
In Reader::get_reserved_mem() , the code at line 361 would cast blob to ReservedMemEntry which was u64. It created a misaligned pointer and was passed to from_raw_parts as parameter.
Lines 37 to 38 in caf8d1e
In ReservedMem::add_entry() , the code at line 37 would cast buf which was u8 to ReservedMemEntry which was u64. The misaligned pointer was deref at the same line.
|
This code was written by me just after starting learning the language. Unfortunately I don't have capacity to fix the bugs at the moment. Feel free to submit PR if you want. |
The source of unsoundness
The first unsoundness lies in
transmute_buf
.dtb/src/struct_item.rs
Lines 88 to 93 in caf8d1e
At line 91,
buf.as_ptr()
would create an immutable raw pointer; however, it is then casted to a mutable raw pointer and created a slice from it. Changing the readonly permission in type conversion could lead to undefined behavior. Even though the function is not public and declared asunsafe
, it was still called by other functions and could have some impact.The second unsoundness lies in
value_u32_list
.dtb/src/struct_item.rs
Lines 115 to 135 in caf8d1e
At line 130,
value.as_ptr()
was casted to u32 raw pointer and created a misaligned pointer. The misaligned pointer was deref in the same line, leading to undefined behavior.To reproduce the bug
To reproduce the bug in
transmute_buf
:run with miri,
To reproduce the bug in
value_u32_list
, we just need to runcargo test
:Hope this could help you debug and fix the bugs:)
The text was updated successfully, but these errors were encountered: