You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Unsafe code in ObjectPool has time-of-check to time-of-use (TOCTOU) bug that can eventually lead to a memory safety violation. ObjectPool and HandlePool implicitly assumes that HandleLike trait methods are pure, i.e., they always return the same value. However, this assumption is unsound since HandleLike is a safe, public trait that allows a custom implementation.
Demonstration
Crate: crayon
Version: 0.7.1
OS: Ubuntu 18.04.5 LTS
Rust: rustc 1.46.0 (04488afe3 2020-08-24)
#![forbid(unsafe_code)]use crayon::utils::handle::{HandleIndex,HandleLike};use crayon::utils::object_pool::ObjectPool;use std::sync::atomic::{AtomicBool,Ordering};#[derive(Debug)]structDropDetector(u32);implDropforDropDetector{fndrop(&mutself){println!("Dropping {}",self.0);}}staticFLAG:AtomicBool = AtomicBool::new(false);#[derive(Debug,Clone,Copy,Hash,PartialEq,Eq)]structMyHandle{indices:[HandleIndex;2],version:HandleIndex,}implHandleLikeforMyHandle{fnnew(index:HandleIndex,version:HandleIndex) -> Self{MyHandle{indices:[index, index],
version,}}fnindex(&self) -> HandleIndex{ifdbg!(FLAG.fetch_xor(true,Ordering::Relaxed)){self.indices[1]}else{self.indices[0]}}fnversion(&self) -> HandleIndex{self.version}}implMyHandle{fnwith_indices(indices:[HandleIndex;2],version:HandleIndex) -> Self{MyHandle{ indices, version }}}fnmain(){letmut pool = ObjectPool::new();let real_handle:MyHandle = pool.create(123);let fake_handle =
MyHandle::with_indices([real_handle.index(),12345678], real_handle.version());// Segfault with OOB, accessing`pool.entries[12345678]` without boundary checkingdbg!(pool.get(fake_handle));// The bug can be similarly triggered in all other methods of `ObjectPool`// that call `handle.index()` in an unsafe block.}
crayon/src/utils/handle.rs
Lines 90 to 94 in 48d4e87
crayon/src/utils/object_pool.rs
Lines 48 to 66 in 48d4e87
crayon/src/utils/object_pool.rs
Lines 164 to 174 in 48d4e87
Description
Unsafe code in
ObjectPool
has time-of-check to time-of-use (TOCTOU) bug that can eventually lead to a memory safety violation.ObjectPool
andHandlePool
implicitly assumes thatHandleLike
trait methods are pure, i.e., they always return the same value. However, this assumption is unsound sinceHandleLike
is a safe, public trait that allows a custom implementation.Demonstration
Output:
Return Code: -11 (SIGSEGV)
The text was updated successfully, but these errors were encountered: