lang_start in std/src/rt.rs is unsound in presence of panic payload that panics on drop
#86030
Assignees
Labels
A-runtime
Area: std's runtime and "pre-main" init for handling backtraces, unwinds, stack overflows
C-bug
Category: This is a bug.
I-unsound
Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
P-critical
Critical priority
T-libs
Relevant to the library team, which will review and decide on the PR/issue.
Comments
nagisa
added
I-unsound
nagisa
changed the title
lang_start in std/src/rt.rs is unsound in presence of panic payload that panicslang_start in std/src/rt.rs is unsound in presence of panic payload that panics on drop
jonas-schievink
added
A-runtime
|
Assigning priority as discussed in the Zulip thread of the Prioritization Working Group. @rustbot label -I-prioritize +P-critical |
rustbot
added
P-critical
nagisa
added a commit
to nagisa/rust
that referenced
this issue
Jun 15, 2021
Guard against panic payloads panicking within entrypoints, where it is UB to do so. Note that there are a number of implementation approaches to consider. Some simpler, some more complicated. This particular solution is nice in that it also guards against accidental implementation issues in various pieces of runtime code, something we cannot prevent statically right now. Fixes rust-lang#86030
Dylan-DPC-zz
pushed a commit
to Dylan-DPC-zz/rust
that referenced
this issue
Jun 16, 2021
Change entry point to 🛡️ against 💥 💥-payloads Guard against panic payloads panicking within entrypoints, where it is UB to do so. Note that there are a number of tradeoffs to consider. For instance, I considered guarding against accidental panics inside the `rt::init` and `rt::cleanup` code as well, as it is not all that obvious these may not panic, but doing so would mean that we initialize certain thread-local slots unconditionally, which has its own problems. Fixes rust-lang#86030 r? `@m-ou-se`
|
Playground link with full code: https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=8042bb4b47c3b1c57f1a0dfe11a3bf41 |
|
FWIW, Miri does detect this. :) error: Undefined Behavior: unwinding past the topmost frame of the stack
--> /playground/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:43:1
|
43 | / fn lang_start<T: crate::process::Termination + 'static>(
44 | | main: fn() -> T,
45 | | argc: isize,
46 | | argv: *const *const u8,
... |
52 | | )
53 | | }
| |_^ unwinding past the topmost frame of the stack
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
= note: inside `std::rt::lang_start::<()>` at /playground/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:43:1
error: aborting due to previous error |
bors
added a commit
to rust-lang-ci/rust
that referenced
this issue
Jun 19, 2021
Change entry point to 🛡️ against 💥 💥-payloads Guard against panic payloads panicking within entrypoints, where it is UB to do so. Note that there are a number of tradeoffs to consider. For instance, I considered guarding against accidental panics inside the `rt::init` and `rt::cleanup` code as well, as it is not all that obvious these may not panic, but doing so would mean that we initialize certain thread-local slots unconditionally, which has its own problems. Fixes rust-lang#86030 r? `@m-ou-se`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See #86027 for an example of the problem.
Here we panic without any landing pads available upstack, because we are already the top-most(-ish) frame in the first place. This is UB.
The text was updated successfully, but these errors were encountered: