Skip to content

Soundness bug #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eduardosm opened this issue Mar 6, 2020 · 3 comments
Open

Soundness bug #2

eduardosm opened this issue Mar 6, 2020 · 3 comments

Comments

@eduardosm
Copy link

eduardosm commented Mar 6, 2020
edited
Loading

Getting a segmentation fault is as easy as:

fn main() {
    let b = cbox::CBox::<str>::new(std::ptr::null_mut());
    println!("{}", b);
}

This allows to de-reference arbitrary raw pointers.
@elichai
Copy link

elichai commented Apr 6, 2020
edited
Loading

You can also get it to double free just as easily:

use cbox::*;
fn main() {
    let p = vec![1, 2, 3].as_mut_ptr();
    let semibox: CSemiBox<'static, str> = CSemiBox::new(p as _);
    drop(semibox);
    println!("Hello World")
}

https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=23b843114b14d79ebb418975c2474dd1

@elichai
Copy link

elichai commented Apr 6, 2020

You can also create UB via invalid UTF-8:

fn main() {
    let mut vec = vec![139,50];
    let p = vec.as_mut_ptr();
    let cbox: CBox<str> = CBox::new(p as _);
    let s: &str = cbox.deref();
    println!("Hello World: {:?}", s);
}

@elichai
Copy link

elichai commented Apr 6, 2020

Anyhow this is a fun library :)
But it was written 5 years ago... so IMO the bug is in any library that is still maintained/used that uses a library that was last maintained before Rust 1.10 came out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eduardosm @elichai