Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validation: check raw wide pointer metadata #63880

Merged
merged 5 commits into from
Aug 29, 2019
Merged

Conversation

RalfJung
Copy link
Member

While I was at it, I also added a missing check for slices not to be too big.

r? @oli-obk
Fixes rust-lang/miri#918

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Aug 25, 2019
@oli-obk
Copy link
Contributor

oli-obk commented Aug 26, 2019

So https://doc.rust-lang.org/std/ptr/fn.slice_from_raw_parts.html is wrong? It's a safe function allowing the construction of such invalid slices.

It can also be done safely on stable:

123456789 as *const [(); usize::max_value()] as *const [()] as *const [u64]

Did anything change in that regard?

@RalfJung
Copy link
Member Author

RalfJung commented Aug 26, 2019

Ouch, I forgot about that.

What changed is that when slice_from_raw_parts landed, nobody was aware of #62603 #63851.

@RalfJung
Copy link
Member Author

Looks like @eddyb was the only one who even knew that we require wide raw ptr metadata to be valid.^^ Nobody in #60667 and rust-lang/unsafe-code-guidelines#166 knew.

@RalfJung
Copy link
Member Author

For this PR, we could (for now) say the fact that this cast is allowed is a bug, and wait until #63851 / rust-lang/unsafe-code-guidelines#166 are resolved. That would match the UB lists in the Nomicon / Reference.

Or we do the slice length check not for raw pointers. That would make the UB documentation more messy. Or we declare the slice length to be just part of the safety invariant of slices so that there is nothing to check, keeping UB simpler.

ty::Slice(ty) => self.ecx.layout_of(ty)?.size,
_ => bug!("It cannot be another type"),
};
if elem_size.checked_mul(len, &*self.ecx.tcx).is_none() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(offtopic) @oli-obk why doesn't TyCtxtAt just implement the right traits to not require all of these &* in miri?

@oli-obk
Copy link
Contributor

oli-obk commented Aug 26, 2019

slice_from_raw_parts is unstable, so it's not an issue. But the stable transformation is indeed problematic.

What changed is that when slice_from_raw_parts landed, nobody was aware of #62603.

what does #62603 have to do with raw pointer metadata?

@RalfJung
Copy link
Member Author

@oli-obk I removed the new slice length check.

@rust-highfive

This comment has been minimized.

@rust-highfive

This comment has been minimized.

@RalfJung
Copy link
Member Author

what does #62603 have to do with raw pointer metadata?

Sorry, copy-pasted the wrong thing. I meant #63851.

@oli-obk
Copy link
Contributor

oli-obk commented Aug 27, 2019

@bors r+

@bors
Copy link
Contributor

bors commented Aug 27, 2019

📌 Commit 04580b6 has been approved by oli-obk

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 27, 2019
@RalfJung
Copy link
Member Author

@bors r-

I also found where the slice size check actually happens, and added a comment. @oli-obk does that seem okay? Or should I try to fix the ICE here as well?

@bors bors added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. labels Aug 27, 2019
@RalfJung
Copy link
Member Author

Hm actually I cannot get it to ICE...

use std::slice;
use std::usize;

fn main() { unsafe {
    let ptr = Box::into_raw(Box::new(0u8));
    let _x = slice::from_raw_parts(ptr, usize::MAX);
} }

@RalfJung
Copy link
Member Author

RalfJung commented Aug 27, 2019

Oh wow, that's odd. When multiplying Size with u64, a check occurs, but not when multiplying Size with Size`?

impl Mul<Size> for u64 {
type Output = Size;
#[inline]
fn mul(self, size: Size) -> Size {
size * self
}
}
impl Mul<u64> for Size {
type Output = Size;
#[inline]
fn mul(self, count: u64) -> Size {
match self.bytes().checked_mul(count) {
Some(bytes) => Size::from_bytes(bytes),
None => {
panic!("Size::mul: {} * {} doesn't fit in u64", self.bytes(), count)
}
}
}
}

@eddyb is that deliberate?

EDIT: Never mind, that's u64 * Size and it just dispatches to the other impl.

@RalfJung
Copy link
Member Author

Oh, Size multiplication actually is not doing the right kind of check for us here... it calls checked_mul for u64, not for Size.

I will remove the last commit here and make that a new PR.

@RalfJung
Copy link
Member Author

@bors r=oli-obk

@bors
Copy link
Contributor

bors commented Aug 27, 2019

📌 Commit 04580b6 has been approved by oli-obk

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Aug 27, 2019
Centril added a commit to Centril/rust that referenced this pull request Aug 29, 2019
Validation: check raw wide pointer metadata

While I was at it, I also added a missing check for slices not to be too big.

r? @oli-obk
Fixes rust-lang/miri#918
Centril added a commit to Centril/rust that referenced this pull request Aug 29, 2019
Validation: check raw wide pointer metadata

While I was at it, I also added a missing check for slices not to be too big.

r? @oli-obk
Fixes rust-lang/miri#918
Centril added a commit to Centril/rust that referenced this pull request Aug 29, 2019
Validation: check raw wide pointer metadata

While I was at it, I also added a missing check for slices not to be too big.

r? @oli-obk
Fixes rust-lang/miri#918
bors added a commit that referenced this pull request Aug 29, 2019
Rollup of 7 pull requests

Successful merges:

 - #63867 (resolve: Block expansion of a derive container until all its derives are resolved)
 - #63880 (Validation: check raw wide pointer metadata)
 - #63914 (ty: use Align for ReprOptions pack and align.)
 - #63941 (rustbuild: allow disabling deny(warnings) for bootstrap)
 - #63949 (Fix build src/libtest)
 - #63984 (Update rust-installer to limit memory use)
 - #63992 (Small improvement for Ord implementation of integers)

Failed merges:

r? @ghost
@bors bors merged commit 04580b6 into rust-lang:master Aug 29, 2019
@bors
Copy link
Contributor

bors commented Aug 29, 2019

⌛ Testing commit 04580b6 with merge 7445622...

@bors
Copy link
Contributor

bors commented Aug 29, 2019

☔ The latest upstream changes (presumably #63998) made this pull request unmergeable. Please resolve the merge conflicts.

@bors bors added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. labels Aug 29, 2019
bors added a commit to rust-lang/miri that referenced this pull request Aug 29, 2019
test for invalid wide raw ptr

This is the Miri side of rust-lang/rust#63880.
@RalfJung RalfJung deleted the miri-meta branch August 29, 2019 16:15
@pietroalbini
Copy link
Member

@bors r- retry

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Sep 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Report null fat raw pointers
6 participants