Soundness: Creating`DecimalArray` from `ArrayData` does not check that its buffer is `<= size * 16` #775

jorgecarleitao · 2021-09-14T11:40:12Z

Equivalent to #774 : passing a buffer that is not a multiple of 16 results in a invalid memory access when reading values.

use arrow::array::*;
use arrow::buffer::*;
use arrow::datatypes::*;

fn main() {
    let data = ArrayData::new(
        DataType::Decimal(10, 10),
        1,
        None,
        None,
        0,
        vec![Buffer::from_slice_ref(&[0u8, 1, 1])],
        vec![],
    );
    let a = DecimalArray::from(data);
    let b = a.value(0);
    println!("{}", b);
}

cargo miri run --example unsafe

error: Undefined Behavior: using uninitialized data, but this operation requires initialized memory
   --> /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/fmt/num.rs:579:30
    |
579 |         let is_nonnegative = *self >= 0;
    |                              ^^^^^^^^^^ using uninitialized data, but this operation requires initialized memory
    |
    = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
    = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
            
    = note: inside `core::fmt::num::<impl std::fmt::Display for i128>::fmt` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/fmt/num.rs:579:30
    = note: inside `std::fmt::write` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/fmt/mod.rs:1112:17
    = note: inside `<std::io::StdoutLock as std::io::Write>::write_fmt` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/mod.rs:1642:15
    = note: inside `<&std::io::Stdout as std::io::Write>::write_fmt` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/stdio.rs:809:9
    = note: inside `<std::io::Stdout as std::io::Write>::write_fmt` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/stdio.rs:783:9
    = note: inside `std::io::stdio::print_to::<std::io::Stdout>` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/stdio.rs:1149:21
    = note: inside `std::io::_print` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/io/stdio.rs:1162:5
note: inside `main` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/macros.rs:97:9
   --> arrow/examples/unsafe.rs:17:5
    |
17  |     println!("{}", b);
    |     ^^^^^^^^^^^^^^^^^^
    = note: inside `<fn() as std::ops::FnOnce<()>>::call_once - shim(fn())` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
    = note: inside `std::sys_common::backtrace::__rust_begin_short_backtrace::<fn(), ()>` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
    = note: inside closure at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:63:18
    = note: inside `std::ops::function::impls::<impl std::ops::FnOnce<()> for &dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe>::call_once` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:259:13
    = note: inside `std::panicking::r#try::do_call::<&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe, i32>` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:401:40
    = note: inside `std::panicking::r#try::<i32, &dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe>` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:365:19
    = note: inside `std::panic::catch_unwind::<&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe, i32>` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:434:14
    = note: inside closure at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:45:48
    = note: inside `std::panicking::r#try::do_call::<[closure@std::rt::lang_start_internal::{closure#2}], isize>` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:401:40
    = note: inside `std::panicking::r#try::<isize, [closure@std::rt::lang_start_internal::{closure#2}]>` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:365:19
    = note: inside `std::panic::catch_unwind::<[closure@std::rt::lang_start_internal::{closure#2}], isize>` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:434:14
    = note: inside `std::rt::lang_start_internal` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:45:20
    = note: inside `std::rt::lang_start::<()>` at /home/azureuser/.rustup/toolchains/nightly-2021-07-04-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:62:5
    = note: this error originates in the macro `println` (in Nightly builds, run with -Z macro-backtrace for more info)

error: aborting due to previous error

The text was updated successfully, but these errors were encountered:

alamb · 2021-09-29T20:50:05Z

Updating title of the ticket to make it clear this affects misusing the lower level APIs, as described in https://github.com/apache/arrow-rs/tree/master/arrow#safety

alamb · 2021-10-29T10:33:09Z

This is a specific case of the general issue described in #817, so closing this one as a duplicate in favor of the more general ticket.

jorgecarleitao added bug security labels Sep 14, 2021

alamb changed the title ~~Soundness: DecimalArray does not check that its buffer is <= size * 16~~ Soundness: CreatingDecimalArray from ArrayData does not check that its buffer is <= size * 16 Sep 29, 2021

alamb closed this as completed Oct 29, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Soundness: Creating`DecimalArray` from `ArrayData` does not check that its buffer is `<= size * 16` #775

Soundness: Creating`DecimalArray` from `ArrayData` does not check that its buffer is `<= size * 16` #775

jorgecarleitao commented Sep 14, 2021 •

edited

Loading

alamb commented Sep 29, 2021

alamb commented Oct 29, 2021

Soundness: CreatingDecimalArray from ArrayData does not check that its buffer is <= size * 16 #775

Soundness: CreatingDecimalArray from ArrayData does not check that its buffer is <= size * 16 #775

Comments

jorgecarleitao commented Sep 14, 2021 • edited Loading

alamb commented Sep 29, 2021

alamb commented Oct 29, 2021

Soundness: Creating`DecimalArray` from `ArrayData` does not check that its buffer is `<= size * 16` #775

Soundness: Creating`DecimalArray` from `ArrayData` does not check that its buffer is `<= size * 16` #775

jorgecarleitao commented Sep 14, 2021 •

edited

Loading