search

Artisan-Lab / RAP

Rust Analysis Platform
Apache License 2.0
13 stars 3 forks source link

SafeDrop Fails to Detect Use-After-Free Bug #4

Closed stuuupidcat closed 1 month ago

stuuupidcat commented 2 months ago

Description

SafeDrop fails to detect a use-after-free vulnerability in the Rust code snippet provided below. The code involves unsafe operations, including the use of std::mem::transmute to extend the lifetime of a reference, which leads to a use-after-free situation when the original data is dropped prematurely.

Code Snippet

struct MyRef<'a> {
    a: &'a str,
}

impl<'a> MyRef<'a> {
    fn print(&self) {
        println!("{}", self.a);
    }
}

unsafe fn f<'a>(myref: MyRef<'a>) -> MyRef<'static> {
    unsafe {
        std::mem::transmute(myref)
    }
}

fn main() {
    let string = "Hello World!".to_string();
    unsafe {
        let my_ref = f(MyRef { a: &string });
        drop(string);
        my_ref.print(); // Expected to fail but executes without detection of use-after-free
    }
}
VaynNecol commented 1 month ago

This bug has been fixed in safedrop#fix manual deallocation and safedrop#fix type filter.

stuuupidcat commented 1 month ago

copy that