Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsound problem in JitDumpFile::dump_code_load_record #8905

Closed
safe4u opened this issue Jul 6, 2024 · 0 comments · Fixed by #8914
Closed

Unsound problem in JitDumpFile::dump_code_load_record #8905

safe4u opened this issue Jul 6, 2024 · 0 comments · Fixed by #8914

Comments

@safe4u
Copy link

safe4u commented Jul 6, 2024

Hi, we have found an unsound problem caused by the unsafe call std::slice::from_raw_parts in

wasmtime/crates/jit-debug/src/perf_jitdump.rs

Line 252 in 842fa76

pub fn dump_code_load_record(

from_raw_parts converts the pointer addr and the len into a slice without validation and that memory block would be dumped.
Thus, the 'safe' function dump_code_load_record is actually 'unsafe' since it requires the caller to guarantee that the addr is valid and len must not overflow.

POC

Here follows a simple POC written in safe Rust code.

use wasmtime_jit_debug::perf_jitdump::JitDumpFile;
fn main() {
    let mut jit_file = JitDumpFile::new("jitdump", 1).unwrap();
    let str1 = "hi";
    let _r = jit_file.dump_code_load_record("name", str1.as_ptr() as *const u8, 1024, 2, 3, 4).unwrap();
}

Suggestion

There are two possible action choices could be taken:

  1. Mark the function dump_code_load_record as unsafe and write Safety requirement.
  2. (recommended) Merge parameter addr and len into a single parameter code_buffer: &[u8], so the compiler would guarantee the buffer is valid.
@safe4u safe4u mentioned this issue Jul 6, 2024
Open
alexcrichton added a commit to alexcrichton/wasmtime that referenced this issue Jul 8, 2024
@alexcrichton
Refactor internal profiling APIs to be safer
14bd6a8 
Pass around `&[u8]` instead of `*const u8` and `usize` to avoid the need
for raw unsafe abstractions.

Closes bytecodealliance#8905
@alexcrichton alexcrichton mentioned this issue Jul 8, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue Jul 8, 2024
@alexcrichton
Refactor internal profiling APIs to be safer (#8914)
b5e31a5 
Pass around `&[u8]` instead of `*const u8` and `usize` to avoid the need
for raw unsafe abstractions.

Closes #8905
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Refactor internal profiling APIs to be safer alexcrichton/wasmtime
1 participant
@safe4u