Closed shinmao closed 1 year ago
Thanks!
Would you mind report to RUSTSEC advisories so that user can update via cargo audit? Or I can help report it?
I had no idea that unsoundness rose to the level of security advisories, but by all means…
Yes. UB means that we can't guarantee what would happen on any target at anytime. UB should not happen with safe function. In this case, uninitialized memory read might also cause to security issues.
The source of soundness
https://github.com/urschrei/lonlat_bng/blob/c66eca1c878c8d7eb86b53463ccaf56e86dac7bb/src/ffi.rs#L64-L79 With
from
at line 66, we can cast arbitrary type asArray.data
; withfrom
at line 76, we can create a slice off64
. It is unsound because there is no any trait bound onT
, then we can indirectly cast arbitrary types tof64
slice. If we pass any type with smaller alignment such asf32
, it would lead to out-of-bounds read whenslice::from_raw_parts_mut
tries to call&mut *ptr::slice_from_raw_parts_mut()
. The reason is that it would create a slice of8 bytes * arr.len
while the actual data only has size of4 bytes * arr.len
. Another point is that: Even though we could change thearr.len
here to the one based onf32
(e.g.,arr.len / 2
), it is still UB with accessing misaligned memory.To reproduce the bug