Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsound implementation in MemoryRange::as_slice/as_slice_mut #410

Closed
shinmao opened this issue Sep 12, 2023 · 5 comments
Closed

Unsound implementation in MemoryRange::as_slice/as_slice_mut #410

shinmao opened this issue Sep 12, 2023 · 5 comments

Comments

@shinmao
Copy link

shinmao commented Sep 12, 2023

The source of unsoundness

xous-core/xous-rs/src/definitions.rs

Lines 318 to 324 in f17ce55

pub fn as_slice<T>(&self) -> &[T] {
// This is safe because the pointer and length are guaranteed to
// be valid, as long as the user hasn't already called `as_ptr()`
// and done something unsound with the resulting pointer.
unsafe {
core::slice::from_raw_parts(
self.as_ptr() as *const T,

We consider as_slice unsound because: at line 324, the pointer with any bit patterns could be cast to the slice of arbitrary types. The pointer could be created by unsafe new and deprecated from_parts. We consider that from_parts should be removed in latest version because it will help trigger unsoundness in as_slice. With new declared as unsafe, as_slice should also declared as unsafe.

To reproduce the bug

use xous::definitions::MemoryRange;

fn main() {
    let a: u64 = 3;
    let addr = &a as *const u64 as usize;
    let mr = unsafe { MemoryRange::new(addr, 8usize).unwrap() };
    println!("{:?}", mr.as_slice::<bool>());
}

to run with miri,

note: inside `main`
   --> src/main.rs:7:22
    |
7   |     println!("{:?}", mr.as_slice::<bool>());
    |                      ^^^^^^^^^^^^^^^^^^^^^

error: Undefined Behavior: constructing invalid value: encountered 0x03, but expected a boolean
@xobs
Copy link
Member

xobs commented Sep 12, 2023

Nobody seems to be using from_parts(), so I agree it makes sense to remove it.

The call to as_slice() (and as_slice_mut()) is a bit more problematic. I'll put together a patchset and have @bunnie take a look at it.

@shinmao
Copy link
Author

shinmao commented Sep 12, 2023
edited
Loading

@xobs yes. I think we can remind the user who combines the usage of new and as_slice should keep in mind that T actually can't be any type they provide.

@xobs
Copy link
Member

xobs commented Sep 12, 2023

I think that a better API would have been to turn a MemoryRange into a smart pointer of some sort that encodes the type, and make only the constructor be unsafe. Unfortunately it's a bit too late to do that in this API -- it will have to be done for some Xous-rs 2.0 API.

@xobs
Copy link
Member

xobs commented Sep 12, 2023

I created #411 to address this issue.

@bunnie
Copy link
Member

bunnie commented Sep 20, 2023

this got merged, so i think we can close this issue?

@bunnie bunnie closed this as completed Sep 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xobs @bunnie @shinmao