Hugal31
commented
2 years ago LGTM, thanks.
The internals should be unsafe, indeed. That's my first attempt at writing a FFI wrapper, so I was not sure where the unsafe should go.
Closed roblabla closed 2 years ago
Hugal31
commented
2 years ago LGTM, thanks.
The internals should be unsafe, indeed. That's my first attempt at writing a FFI wrapper, so I was not sure where the unsafe should go.
This branch fixes two soundness holes in the current yara-rust implementation:
impl TryFrom<*mut YR_RULES> for Rules, which would allow anyone to create aRulesstructure from an invalid, null, or shared raw pointers, allowing safe code to trigger segfaults trivially.fn scan_x<'r>(&self, /* ... */) -> Result<Vec<Rule<'r>>, YaraError>. The'rlifetime is unbound, meaning the caller gets to chose how large it is! As such, the caller may keep the outputRulelonger than theRulesinstance, causing use-after-frees.Note that part of the problem with this second case is that the safety boundary of this library is sort of misplaced. The
internalsfunction are all marked as safe, despite being unsafe to use. While this is not really a problem (those functions aren't exposed to the outside world), it makes it harder to spot these kinds of mistakes during review, as the code that binds the lifetime (scan_xinsrc/rules.rs) is far from the code that does the unsafe operation (scan_xfromsrc/internals/rules.rs).I believe those problems would be easier to spot if the internals function were marked unsafe, with their safety invariants properly spelled out. If this is something that's of interest, I can submit a PR that moves to such a design.