-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix UB from misalignment and provenance widening in std::sys::windows
#101171
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I think this is basically fine. Only one thing that I think needs to be addressed, the other comments are just me being resigned to Rust not having better support for this atm. 🤷
Oh, just noticed: rust/library/std/src/sys/windows/fs.rs Line 1348 in 1b8025a
EDIT: Wait no that's a different buffer... for some reason. |
It's still wrong the way it's written, I think? That said there are a couple places in this file that are like this that I didn't touch (for example, it's not 100% clear to me what the best fix for the DirBuff stuff would be, but I was just going to tackle it later). |
Yeah, but I'm ok with this PR being more focused. That said, I'm also more than happy for you to fix that too! |
I fixed it. It actually was wrong in another way, since it was turning a pointer derived from (Tragically |
lgtm @bors r+ |
@bors r- After a quick discussion with @ChrisDenton I'm actually going to simplify this a bit. |
I'll remove the |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Windows passes (https://github.com/rust-lang/rust/runs/8091513764?check_suite_focus=true, https://github.com/rust-lang/rust/runs/8091513602?check_suite_focus=true), so I've undone the CI commit. |
@bors r+ |
Fix UB from misalignment and provenance widening in `std::sys::windows` This fixes two types of UB: 1. Reading past the end of a reference in types like `&c::REPARSE_DATA_BUFFER` (see rust-lang/unsafe-code-guidelines#256). This is fixed by using `addr_of!`. I think there are probably a couple more cases where we do this for other structures, and will look into it in a bit. 2. Failing to ensure that a `[u8; N]` on the stack is sufficiently aligned to convert to a `REPARSE_DATA_BUFFER`. ~~This was done by introducing a new `AlignedAs` struct that allows aligning one type to the alignment of another type. I expect there are other places where we have this issue too, or I wouldn't introduce this type, but will get to them after this lands.~~ ~~Worth noting, it *is* implemented in a way that can cause problems depending on how we fix rust-lang#81996, but this would be caught by the test I added (and presumably if we decide to fix that in a way that would break this code, we'd also introduce a `#[repr(simple)]` or `#[repr(linear)]` as a replacement for this usage of `#[repr(C)]`).~~ Edit: None of that is still in the code, I just went with a `Align8` since that's all we'll need for almost everything we want to call. These are more or less "potential UB" since it's likely at the moment everything works fine, although the alignment not causing issues might just be down to luck (and x86 being forgiving). ~~NB: I've only ensured this check builds, but will run tests soon.~~ All tests pass, including stage2 compiler tests. r? `@ChrisDenton`
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#100970 (Allow deriving multipart suggestions) - rust-lang#100984 (Reinstate preloading of some dll imports) - rust-lang#101011 (Use getentropy when possible on all Apple platforms) - rust-lang#101025 (Add tier-3 support for powerpc64 and riscv64 openbsd) - rust-lang#101049 (Remove span fatal from ast lowering) - rust-lang#101100 (Make call suggestions more general and more accurate) - rust-lang#101171 (Fix UB from misalignment and provenance widening in `std::sys::windows`) - rust-lang#101185 (Tweak `WellFormedLoc`s a bit) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
Avoid needless buffer zeroing in `std::sys::windows::fs` Followup to rust-lang#101171 and rust-lang#101193. This finishes up avoiding buffer zeroing pointed out in rust-lang#100729 (comment) (thanks!) r? `@ChrisDenton`
Avoid UB in the Windows filesystem code in... bootstrap? This basically a subset of the changes from rust-lang#101171. I didn't think to look in src/bootstrap for more windows filesystem API usage, which was apparently a mistake on my part. It's kinda goofy that stuff like this is in here, but what are you gonna do, computers are awful. I also added `winbase` to the `winapi` dep -- I tested this in a tmp crate but needed to add this to your Cargo.toml -- you `use winapi::stuff::winbase` in this function, but are relying on something else turning on that feature.
Avoid UB in the Windows filesystem code in... bootstrap? This basically a subset of the changes from rust-lang#101171. I didn't think to look in src/bootstrap for more windows filesystem API usage, which was apparently a mistake on my part. It's kinda goofy that stuff like this is in here, but what are you gonna do, computers are awful. I also added `winbase` to the `winapi` dep -- I tested this in a tmp crate but needed to add this to your Cargo.toml -- you `use winapi::stuff::winbase` in this function, but are relying on something else turning on that feature.
Avoid UB in the Windows filesystem code in... bootstrap? This basically a subset of the changes from rust-lang#101171. I didn't think to look in src/bootstrap for more windows filesystem API usage, which was apparently a mistake on my part. It's kinda goofy that stuff like this is in here, but what are you gonna do, computers are awful. I also added `winbase` to the `winapi` dep -- I tested this in a tmp crate but needed to add this to your Cargo.toml -- you `use winapi::stuff::winbase` in this function, but are relying on something else turning on that feature.
Avoid needless buffer zeroing in `std::sys::windows::fs` Followup to rust-lang/rust#101171 and rust-lang/rust#101193. This finishes up avoiding buffer zeroing pointed out in rust-lang/rust#100729 (comment) (thanks!) r? `@ChrisDenton`
This fixes two types of UB:
Reading past the end of a reference in types like
&c::REPARSE_DATA_BUFFER
(see Storing an object as &Header, but reading the data past the end of the header unsafe-code-guidelines#256). This is fixed by usingaddr_of!
. I think there are probably a couple more cases where we do this for other structures, and will look into it in a bit.Failing to ensure that a
[u8; N]
on the stack is sufficiently aligned to convert to aREPARSE_DATA_BUFFER
.This was done by introducing a newAlignedAs
struct that allows aligning one type to the alignment of another type. I expect there are other places where we have this issue too, or I wouldn't introduce this type, but will get to them after this lands.Worth noting, it is implemented in a way that can cause problems depending on how we fix repr(C) on MSVC targets does not always match MSVC type layout when ZST are involved #81996, but this would be caught by the test I added (and presumably if we decide to fix that in a way that would break this code, we'd also introduce a#[repr(simple)]
or#[repr(linear)]
as a replacement for this usage of#[repr(C)]
).Edit: None of that is still in the code, I just went with a
Align8
since that's all we'll need for almost everything we want to call.These are more or less "potential UB" since it's likely at the moment everything works fine, although the alignment not causing issues might just be down to luck (and x86 being forgiving).
NB: I've only ensured this check builds, but will run tests soon.All tests pass, including stage2 compiler tests.r? @ChrisDenton