Skip to content

Fix Process::read_into_uninit_slice Unsoundness #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
CryZe merged 1 commit into from
Dec 26, 2025
Merged

Fix Process::read_into_uninit_slice Unsoundness #128

CryZe merged 1 commit into from
Dec 26, 2025

Conversation

@CryZe
Copy link
Collaborator

@CryZe CryZe commented Dec 26, 2025

The lifetime was not properly tied to the buffer passed in, which could lead to use after free if the returned slice outlived the buffer.

@CryZe
Fix Process::read_into_uninit_slice Unsoundness
07d7992 
The lifetime was not properly tied to the buffer passed in, which could
lead to use after free if the returned slice outlived the buffer.
@CryZe CryZe requested a review from Jujstme December 26, 2025 13:52
@CryZe CryZe added bug Something isn't working enhancement New feature or request labels Dec 26, 2025
@Jujstme
Copy link
Collaborator

Jujstme commented Dec 26, 2025

To be fair, the original signature for the function was already sound.

You have a function that accepts one reference (other than &self) and returns another reference. Due to lifetime elision rules, the compiler should automatically assume that the return reference has the same lifetime as the input reference.

This PR just expresses the lifetime explicitly

@CryZe
Copy link
Collaborator Author

CryZe commented Dec 26, 2025
edited
Loading

If there's multiple input lifetimes on a function you usually need to explicitly specify it, with the one exception being if it's a method, then elision rules assume the borrow is from self by default. And that's the problem here, the borrow is not from self, so it's unsound. Usually the compiler detects this, but here we construct the slice from a raw pointer, so it loses the ability to reason about it.

If you want, I can construct a use after free on the Rust playground to demonstrate it.

@Jujstme
Copy link
Collaborator

Jujstme commented Dec 26, 2025

No need, I checked it by myself and you're right👍

@CryZe CryZe merged commit 573e638 into master Dec 26, 2025
7 checks passed
@CryZe CryZe deleted the read-into-uninit-slice-unsound branch December 26, 2025 17:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jujstme Jujstme Jujstme approved these changes

Assignees

No one assigned

Labels

bug Something isn't working enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CryZe @Jujstme