Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix zero-sized reference to deallocated memory #91797

Merged
merged 1 commit into from
Dec 12, 2021
Merged

Fix zero-sized reference to deallocated memory #91797

merged 1 commit into from
Dec 12, 2021

Conversation

the8472
Copy link
Member

@the8472 the8472 commented Dec 11, 2021

fixes #91772

r? @camelid

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Dec 11, 2021
@the8472
Copy link
Member Author

the8472 commented Dec 11, 2021

Running miri-test-libstd for alloc passes with these changes.

@camelid
Copy link
Member

camelid commented Dec 11, 2021

Sorry, I don't have enough familiar with this code to review :)

r? rust-lang/libs

@camelid camelid added the T-libs Relevant to the library team, which will review and decide on the PR/issue. label Dec 11, 2021
@Mark-Simulacrum
Copy link
Member

@the8472 I'm going to r+ this as I think it should address the immediate problem, but I suspect a more thorough patch which fixes the Splice Drop(?) impl to not create such a Drain would be better.

In general I think we should be able to expect that the iterator is pointing to a valid range inside Drain -- the fact that's not the case to me suggests that Splice is not properly resetting Drain after modifying the backing vector (e.g., be re-initing the slice here to be freshly created, not from deallocated memory). With this patch it's probably fine, but seems easy to get wrong in the future, so likely good to fix at the root in some sense.

@Mark-Simulacrum
Copy link
Member

@bors r+ p=1 -- fixing unsoundness

@bors
Copy link
Contributor

bors commented Dec 11, 2021

📌 Commit 9063b64 has been approved by Mark-Simulacrum

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Dec 11, 2021
@the8472
Copy link
Member Author

the8472 commented Dec 11, 2021

With this patch it's probably fine, but seems easy to get wrong in the future, so likely good to fix at the root in some sense.

Well, at least it's documented now that Drain::drop is constrained in some ways by Splice::drop. But yeah, if we can reduce the ways in which splice breaks drain encapsulation that would be nice.

@matthiaskrgr matthiaskrgr mentioned this pull request Dec 11, 2021
Merged
RalfJung
RalfJung reviewed Dec 11, 2021
View reviewed changes
library/alloc/src/vec/drain.rs
let drop_ptr = iter.as_slice().as_ptr();

// forget iter so there's no aliasing reference
drop(iter);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does iter have an actual impl Drop that used to be run here?

Copy link
Member Author

@the8472 the8472 Dec 12, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it wasn't actually necessary. I thought slice::Iter internally holds a slice reference that would be invalidated by mutating the vec through other pointers. But it actually contains pointers.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, at least under Stacked Borrows, droping a reference doesn't help with anything -- it only marks the reference as active the moment it gets dropped.

bors added a commit to rust-lang-ci/rust that referenced this pull request Dec 12, 2021
@bors
Auto merge of rust-lang#91813 - matthiaskrgr:rollup-nryyeyj, r=matthi…
e70e4d4 
…askrgr

Rollup of 8 pull requests

Successful merges:

 - rust-lang#90081 (Make `intrinsics::write_bytes` const)
 - rust-lang#91643 (asm: Allow using r9 (ARM) and x18 (AArch64) if they are not reserved by the current target)
 - rust-lang#91737 (Make certain panicky stdlib functions behave better under panic_immediate_abort)
 - rust-lang#91750 (rustdoc: Add regression test for Iterator as notable trait on &T)
 - rust-lang#91764 (Do not ICE when suggesting elided lifetimes on non-existent spans.)
 - rust-lang#91780 (Remove hir::Node::hir_id.)
 - rust-lang#91797 (Fix zero-sized reference to deallocated memory)
 - rust-lang#91806 (Make `Unique`s methods `const`)

Failed merges:

r? `@ghost`
`@rustbot` modify labels: rollup
@bors bors merged commit 9aade50 into rust-lang:master Dec 12, 2021
@bors
Copy link
Contributor

bors commented Dec 12, 2021

⌛ Testing commit 9063b64 with merge e70e4d4...

@rustbot rustbot added this to the 1.59.0 milestone Dec 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RalfJung RalfJung RalfJung left review comments

Assignees

@Mark-Simulacrum Mark-Simulacrum

Labels
S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
1.59.0
Development

Successfully merging this pull request may close these issues.

Use-after-free in Drop impl for vec::Drain
7 participants
@the8472 @camelid @Mark-Simulacrum @bors @RalfJung @rust-highfive @rustbot