Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

temporary_cstring_as_ptr doesn't catch UAF when Result is assigned to a variable #4375

Closed
alex opened this issue Aug 13, 2019 · 3 comments · Fixed by #4425
Closed

temporary_cstring_as_ptr doesn't catch UAF when Result is assigned to a variable #4375

alex opened this issue Aug 13, 2019 · 3 comments · Fixed by #4425
Labels
C-bug Category: Clippy is not doing the correct thing C-enhancement Category: Enhancement of lints, like adding more cases or adding help messages

Comments

@alex
Copy link
Member

alex commented Aug 13, 2019

Source:

use std::ffi::CString;
use libc::c_char;

extern "C" {
    fn foo(data: *const c_char);
}

pub fn bar(v: &[u8]) {
    let cstr = CString::new(v);
    unsafe {
        foo(cstr.unwrap().as_ptr())
    }
}

clippy doesn't complain about this, even though it's equally dangerous to foo(CString::new(v).unwrap().as_ptr()). It should complain about this formulation as well.

Tested with clippy on play.rust-lang.org: 0.0.212 (2019-08-11 72da101)
@flip1995 flip1995 added C-bug Category: Clippy is not doing the correct thing C-enhancement Category: Enhancement of lints, like adding more cases or adding help messages labels Aug 13, 2019
@flip1995
Copy link
Member

A possible fix would be to search for method chains of .unwrap().as_ptr() and then check the type of the first argument (self) of the unwrap call, if it is Result<CString, _>.

@alex
Copy link
Member Author

alex commented Aug 13, 2019

For what it's worth, this came from a real world example: mozilla/neqo#145

@ghost ghost mentioned this issue Aug 21, 2019
Merged
bors added a commit that referenced this issue Aug 21, 2019
@bors
Auto merge of #4425 - mikerite:4375, r=flip1995
45d24fd 
Fix `temporary_cstring_as_ptr` false negative

Fixes #4375.

Changes the check to test when `.unwrap().as_ptr()` is called on any
`Result<CString, _>` as suggested by @flip1995
(#4375 (comment)).

changelog: Fix `temporary_cstring_as_ptr` false negative
@bors bors closed this as completed in 59893bc Aug 21, 2019
@alex alex mentioned this issue Aug 31, 2019
Open
@Qwaz
Copy link
Contributor

Qwaz commented Sep 23, 2019

I believe the example in the issue report should store a pointer in another variable to trigger UAF, like the example in clippy lint page:

let c_str = CString::new("foo").unwrap().as_ptr();
unsafe {
    foo(c_str);
}

The pointer is valid in function foo if you use CString in the form of foo(cstr.unwrap().as_ptr()) or foo(cstr.unwrap().as_ptr()), since the temporary value is dropped after foo returns.

See mozilla/neqo#145 (comment)

@flip1995 flip1995 mentioned this issue Jul 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bug Category: Clippy is not doing the correct thing C-enhancement Category: Enhancement of lints, like adding more cases or adding help messages
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix temporary_cstring_as_ptr false negative
3 participants
@alex @Qwaz @flip1995