-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsound impl of From<&'a [u8]> for Uint8Array #1814
Comments
See also @Pauan's comment at #1619 (comment):
The docs for /// Creates a JS typed array which is a view into wasm's linear
/// memory at the slice specified.
///
/// This function returns a new typed array which is a view into
/// wasm's memory. This view does not copy the underlying data.
///
/// # Unsafety
///
/// Views into WebAssembly memory are only valid so long as the
/// backing buffer isn't resized in JS. Once this function is called
/// any future calls to `Box::new` (or malloc of any form) may cause
/// the returned value here to be invalidated. Use with caution!
///
/// Additionally the returned object can be safely mutated but the
/// input slice isn't guaranteed to be mutable.
///
/// Finally, the returned object is disconnected from the input
/// slice's lifetime, so there's no guarantee that the data is read
/// at the right time. |
Sorry, Ignore me. I think this was actually a bug in my code. Originally I had the below code and without making a second copy of the #[wasm_bindgen]
pub fn encode_gcode_program(
chunk_number: u16,
first_line: u32,
text: &str,
) -> Uint8Array {
let mut buffer = [0; anpp::Packet::MAX_PACKET_SIZE];
let msg = GcodeProgram::new(chunk_number, first_line, text);
let bytes_written = buffer
.pwrite_with(msg, 0, Endian::network())
.expect("Will always succeed");
Uint8Array::from(&buffer[..bytes_written])
} |
To be clear, this is not a security vulnerability, because JavaScript always has full 100% access to all of Rust's memory (stack and heap). So it's always possible for JavaScript to access dangling pointers and things like that. Secondly, |
Describe the Bug
The From<&'a [u8]> for Uint8Array impl is unsound, allowing the user to create dangling pointers.
Steps to Reproduce
Doing anything with the
Uint8Array
returned from thisfoo()
function will let you access memory fromfoo()
's stack frame after it's been popped.Expected Behaviour
It should be impossible to use a dangling pointer without using
unsafe
infoo
.This should be prevented at compile time, or a defensive copy should be made at runtime.
Actual Behaviour
The
Uint8Array
lets you access bytes from a stack frame after it's been popped.Additional Context
arrays!()
macroThe text was updated successfully, but these errors were encountered: