search

binast / binjs-ref

Reference implementation for the JavaScript Binary AST format
https://binast.github.io/binjs-ref/binjs/index.html
Other
431 stars 38 forks source link

'read()' on uninitialized memory may cause undefined behavior #460

Open JOE1994 opened 3 years ago

JOE1994 commented 3 years ago

Hello :crab: , we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.

Issue Description

We found four cases where an uninitialized buffer is created and then passed to a user-provided Read implementation. This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory). This part from the Read trait documentation explains the issue:

It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit) is not safe, and can lead to undefined behavior.

https://github.com/binast/binjs-ref/blob/4261ca204354423faa1c5e4236dff5e93b20a09d/crates/binjs_io/src/bytes/compress.rs#L243-L245

https://github.com/binast/binjs-ref/blob/4261ca204354423faa1c5e4236dff5e93b20a09d/crates/binjs_io/src/util.rs#L77-L81

https://github.com/binast/binjs-ref/blob/4261ca204354423faa1c5e4236dff5e93b20a09d/crates/binjs_io/src/multipart/read.rs#L26-L39

https://github.com/binast/binjs-ref/blob/4261ca204354423faa1c5e4236dff5e93b20a09d/crates/binjs_io/src/multipart/read.rs#L42-L50

Suggested Fix

It is safe to zero-initialize the newly allocated u8 buffer before read(), in order to prevent user-provided Read from accessing old contents of the newly allocated heap memory.

Thank you for checking out this issue :+1: