Ucontext creates reference to uninitialized memory

[gnzlbg]

See

nix/src/ucontext.rs

Line 17 in 50f55e7

let mut context: libc::ucontext_t = unsafe { mem::uninitialized() };

You probably want to use mem::zeroed() here.

Note also that newer ucontext_t have a shadow stack field that's not available in older versions. Since the ucontext_t struct becomes larger, this should be able to work in a backward compatible way.

[gnzlbg]

Also, Ucontext appears to be untested.

[asomers]

That shouldn't be a problem. The value is only uninitialized until it gets initialized two lines lower. Or is there something else I'm missing?

[gnzlbg]

If one uses mem::uninitialized or mem::zeroed, one needs to check for all ucontext_t on all platforms that these bit-patterns are valid. If they aren't, the behavior is undefined, and this is a type of UB that LLVM exploits (e.g. if uncontext_t contains a bool or a fn()->()).

The easiest safest way of creating an uninitialized or zero-initialized libc::ucontext_t is via MaybeUninit, which also provides an API to initialize the bytes of its contents without invoking UB, e.g., due to the creation of references to an invalid value, which is also another type of UB that LLVM exploits (e.g. by assuming dereferenceable).

Since ucontext_t is kind of outside of nix control, I'd say use MaybeUninit if you can, and otherwise do something like this to avoid all UB:

union MaybeUninit_ { x: ucontext_t, y: () }
// initialize the storage of ucontext_t to uninitialized, while initializing the union:
let mut context = MaybeUninit_ { y: () };
// create a raw pointer to ucontext_t without creating a reference to it:
let ptr = &mut context as *mut _ as *mut ucontext_t; 
// ...use ptr...
// Once ucontext_t properly initialized, pull it out
let context = unsafe { context.x };

[asomers]

Closing in favor of #1096 .