Closed Mark-Simulacrum closed 1 year ago
Mark-Simulacrum
commented
1 year ago https://github.com/rust-lang/rust/pull/98112 doesn't seem to have an FCP for doing this, which makes some sense (it's just "exploiting" UB).
@saethlin did we file PRs against the relevant crates which break the most transitive tests at least? e.g., rand_core 0.2.x, 0.3.x, 0.4.x seem to be a good fraction of this list. There's a few more crates that seem to stand out too (e.g., plotters-bitmap).
saethlin
commented
1 year ago We did not make any effort to file fixes for the relevant crates.
The rand_core issue in 0.4 has been patched for about 4 years: https://github.com/rust-random/rand/pull/783 then it looks to me like rand does the semver trick, so I think they pulled the fix into 0.3 and 0.2, based on spot checking.
The plotters-bitmap issue was patched a few weeks ago, it's just not released yet: https://github.com/plotters-rs/plotters/pull/467
saethlin
commented
1 year ago The only things I think are significant are:
An issue in an old version (almost 4 years old) of wasmtime-runtime, https://crater-reports.s3.amazonaws.com/beta-1.70-2/beta-2023-05-08/gh/rohankumardubey.wizer/log.txt
Multiple crates hitting an issue in kamadak-exif-0.3.1:
https://crater-reports.s3.amazonaws.com/beta-1.70-2/beta-2023-05-08/reg/quad-image-0.1.1/log.txt
https://crater-reports.s3.amazonaws.com/beta-1.70-2/beta-2023-05-08/gh/jondot.rawsort/log.txt
https://crater-reports.s3.amazonaws.com/beta-1.70-2/beta-2023-05-08/gh/senden9.geo_fence/log.txt
This issue was patched 4 years ago in https://github.com/kamadak/exif-rs/commit/288a7e85c58caa9f041d7ad6937867478ba780c4 but there isn't a semver-compatible update available.
I don't think these are worth doing anything with. All we could do here is ask maintainers to backport fixes.
Mark-Simulacrum
commented
1 year ago Sounds like that's right. The main thing we usually try to ensure is that there is some upgrade path, especially for common code, and I think this covers most of that. Plus it technically won't affect non-debug builds, so users have that escape hatch too.
I'm fine leaving this as-is.
oherrala
commented
1 year ago I think ipconfig crate is affected by this: https://github.com/liranringel/ipconfig/issues/53
thread '<redacted>' panicked at 'misaligned pointer dereference: address must be a multiple of 0x8 but is 0x189f604', C:\Users\runneradmin\.cargo\registry\src\index.crates.io-1cd66030c949c28d\ipconfig-0.3.1\src\adapter.rs:293:23@Mark-Simulacrum Should this issue stay open? I don't think we have an actual regression here.
Mark-Simulacrum
commented
1 year ago Yeah, I think we can close this.
A bunch of these seem to come from rand_core 0.2.1, 0.3.0, and 0.4.0 code (not sure if we can fix it there?)
Not rand_core:
cc https://github.com/rust-lang/rust/pull/98112