Missing wraparound checks in DroplessArena allocation

DroplessArena::alloc_raw does not check for wraparound when computing the end of the allocation, pointer arithmetic using `self.ptr` and `bytes`:

https://github.com/rust-lang/rust/blob/aeca4d6428c52cbf2c8d1f28657b0bdf92e4ea7c/src/libarena/lib.rs#L382-L391

This can be used to make the pointer wrap around, and "allocate", bumping the pointer, without growing the underlying allocation.

Callers `alloc` and `alloc_slice` can possibly be argued to be safe due to practical size limits on values and slices, but at least `alloc_from_iter` can be used to trigger this bug and write out of bounds of an allocation.

Fixes to make

1. Check arithmetic and ensure the allocation can fit into the current (or any) chunk

(Suggested) cleanups to make

1. The arith_offset intrinsic is the same thing as `<*mut T>::wrapping_add`, and the method should be preferred.
2. `alloc_raw` should return something else than `&mut [u8]`, because the contents of the slice are uninit. For example a raw slice or a slice of `MaybeUninit`.

This came up in discussion in PR #72417

	pub fn alloc_raw(&self, bytes: usize, align: usize) -> &mut [u8] {
	unsafe {
	assert!(bytes != 0);

	self.align(align);

	let future_end = intrinsics::arith_offset(self.ptr.get(), bytes as isize);
	if (future_end as *mut u8) >= self.end.get() {
	self.grow(bytes);
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing wraparound checks in DroplessArena allocation #72624

bluss
openedon May 26, 2020

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Missing wraparound checks in DroplessArena allocation #72624

Description

blussopenedon May 26, 2020

Metadata