Fix UB from misalignment and provenance widening in std::sys::windows
#101171
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
the
T-libs
rust-highfive
added
the
S-waiting-on-review
thomcc
commented
Aug 29, 2022
ChrisDenton
reviewed
Aug 30, 2022
ChrisDenton
reviewed
Aug 30, 2022
|
Oh, just noticed: rust/library/std/src/sys/windows/fs.rs Line 1348 in 1b8025a EDIT: Wait no that's a different buffer... for some reason. |
It's still wrong the way it's written, I think? That said there are a couple places in this file that are like this that I didn't touch (for example, it's not 100% clear to me what the best fix for the DirBuff stuff would be, but I was just going to tackle it later). |
Yeah, but I'm ok with this PR being more focused. That said, I'm also more than happy for you to fix that too! |
|
I fixed it. It actually was wrong in another way, since it was turning a pointer derived from (Tragically |
|
lgtm @bors r+ |
bors
added
S-waiting-on-bors
|
@bors r- After a quick discussion with @ChrisDenton I'm actually going to simplify this a bit. |
bors
added
S-waiting-on-author
rustbot
added
the
T-infra
|
I'll remove the |
ChrisDenton
reviewed
Aug 30, 2022
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Windows passes (https://github.com/rust-lang/rust/runs/8091513764?check_suite_focus=true, https://github.com/rust-lang/rust/runs/8091513602?check_suite_focus=true), so I've undone the CI commit. |
thomcc
removed
the
T-infra
|
@bors r+ |
bors
added
S-waiting-on-bors
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Aug 31, 2022
Fix UB from misalignment and provenance widening in `std::sys::windows` This fixes two types of UB: 1. Reading past the end of a reference in types like `&c::REPARSE_DATA_BUFFER` (see rust-lang/unsafe-code-guidelines#256). This is fixed by using `addr_of!`. I think there are probably a couple more cases where we do this for other structures, and will look into it in a bit. 2. Failing to ensure that a `[u8; N]` on the stack is sufficiently aligned to convert to a `REPARSE_DATA_BUFFER`. ~~This was done by introducing a new `AlignedAs` struct that allows aligning one type to the alignment of another type. I expect there are other places where we have this issue too, or I wouldn't introduce this type, but will get to them after this lands.~~ ~~Worth noting, it *is* implemented in a way that can cause problems depending on how we fix rust-lang#81996, but this would be caught by the test I added (and presumably if we decide to fix that in a way that would break this code, we'd also introduce a `#[repr(simple)]` or `#[repr(linear)]` as a replacement for this usage of `#[repr(C)]`).~~ Edit: None of that is still in the code, I just went with a `Align8` since that's all we'll need for almost everything we want to call. These are more or less "potential UB" since it's likely at the moment everything works fine, although the alignment not causing issues might just be down to luck (and x86 being forgiving). ~~NB: I've only ensured this check builds, but will run tests soon.~~ All tests pass, including stage2 compiler tests. r? `@ChrisDenton`
This was referenced Aug 31, 2022
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Aug 31, 2022
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#100970 (Allow deriving multipart suggestions) - rust-lang#100984 (Reinstate preloading of some dll imports) - rust-lang#101011 (Use getentropy when possible on all Apple platforms) - rust-lang#101025 (Add tier-3 support for powerpc64 and riscv64 openbsd) - rust-lang#101049 (Remove span fatal from ast lowering) - rust-lang#101100 (Make call suggestions more general and more accurate) - rust-lang#101171 (Fix UB from misalignment and provenance widening in `std::sys::windows`) - rust-lang#101185 (Tweak `WellFormedLoc`s a bit) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Aug 31, 2022
Avoid needless buffer zeroing in `std::sys::windows::fs` Followup to rust-lang#101171 and rust-lang#101193. This finishes up avoiding buffer zeroing pointed out in rust-lang#100729 (comment) (thanks!) r? `@ChrisDenton`
This was referenced Sep 4, 2022
Dylan-DPC
added a commit
to Dylan-DPC/rust
that referenced
this pull request
Sep 7, 2022
Avoid UB in the Windows filesystem code in... bootstrap? This basically a subset of the changes from rust-lang#101171. I didn't think to look in src/bootstrap for more windows filesystem API usage, which was apparently a mistake on my part. It's kinda goofy that stuff like this is in here, but what are you gonna do, computers are awful. I also added `winbase` to the `winapi` dep -- I tested this in a tmp crate but needed to add this to your Cargo.toml -- you `use winapi::stuff::winbase` in this function, but are relying on something else turning on that feature.
Dylan-DPC
added a commit
to Dylan-DPC/rust
that referenced
this pull request
Sep 7, 2022
Avoid UB in the Windows filesystem code in... bootstrap? This basically a subset of the changes from rust-lang#101171. I didn't think to look in src/bootstrap for more windows filesystem API usage, which was apparently a mistake on my part. It's kinda goofy that stuff like this is in here, but what are you gonna do, computers are awful. I also added `winbase` to the `winapi` dep -- I tested this in a tmp crate but needed to add this to your Cargo.toml -- you `use winapi::stuff::winbase` in this function, but are relying on something else turning on that feature.
Dylan-DPC
added a commit
to Dylan-DPC/rust
that referenced
this pull request
Sep 8, 2022
Avoid UB in the Windows filesystem code in... bootstrap? This basically a subset of the changes from rust-lang#101171. I didn't think to look in src/bootstrap for more windows filesystem API usage, which was apparently a mistake on my part. It's kinda goofy that stuff like this is in here, but what are you gonna do, computers are awful. I also added `winbase` to the `winapi` dep -- I tested this in a tmp crate but needed to add this to your Cargo.toml -- you `use winapi::stuff::winbase` in this function, but are relying on something else turning on that feature.
workingjubilee
pushed a commit
to tcdi/postgrestd
that referenced
this pull request
Sep 15, 2022
Avoid needless buffer zeroing in `std::sys::windows::fs` Followup to rust-lang/rust#101171 and rust-lang/rust#101193. This finishes up avoiding buffer zeroing pointed out in rust-lang/rust#100729 (comment) (thanks!) r? `@ChrisDenton`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes two types of UB:
Reading past the end of a reference in types like
&c::REPARSE_DATA_BUFFER(see Storing an object as &Header, but reading the data past the end of the header unsafe-code-guidelines#256). This is fixed by usingaddr_of!. I think there are probably a couple more cases where we do this for other structures, and will look into it in a bit.Failing to ensure that a
[u8; N]on the stack is sufficiently aligned to convert to aREPARSE_DATA_BUFFER.This was done by introducing a newAlignedAsstruct that allows aligning one type to the alignment of another type. I expect there are other places where we have this issue too, or I wouldn't introduce this type, but will get to them after this lands.Worth noting, it is implemented in a way that can cause problems depending on how we fix repr(C) is unsound on MSVC targets #81996, but this would be caught by the test I added (and presumably if we decide to fix that in a way that would break this code, we'd also introduce a#[repr(simple)]or#[repr(linear)]as a replacement for this usage of#[repr(C)]).Edit: None of that is still in the code, I just went with a
Align8since that's all we'll need for almost everything we want to call.These are more or less "potential UB" since it's likely at the moment everything works fine, although the alignment not causing issues might just be down to luck (and x86 being forgiving).
NB: I've only ensured this check builds, but will run tests soon.All tests pass, including stage2 compiler tests.r? @ChrisDenton