SFT-UNKN: Fix addr_of_mut warnings.

The Passport firmware code runs on a "single thread" so the warnings don't apply here. * extmod/foundation-rust/src/secp256k1.rs: Replace `&mut ...' with `&mut *addr_of_mut!(...)'. * extmod/foundation-rust/src/ur/decoder.rs: Ditto. * extmod/foundation-rust/src/ur/encoder.rs: Ditto. * extmod/foundation-rust/src/ur/mod.rs: Ditto.
Foundation-Devices · May 13, 2024 · 81d4852 · 81d4852
1 parent ba2cbb4
commit 81d4852
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 8 deletions.
diff --git a/extmod/foundation-rust/src/secp256k1.rs b/extmod/foundation-rust/src/secp256k1.rs
@@ -1,6 +1,7 @@
 // SPDX-FileCopyrightText: © 2023 Foundation Devices, Inc. <hello@foundationdevices.com>
 // SPDX-License-Identifier: GPL-3.0-or-later
 
+use core::ptr;
 use once_cell::sync::Lazy;
 use secp256k1::{
     ffi::types::AlignedType, AllPreallocated, KeyPair, Message, Secp256k1,
@@ -12,7 +13,13 @@ static mut PRE_ALLOCATED_CTX_BUF: [AlignedType; 20] = [AlignedType::ZERO; 20];
 /// cbindgen:ignore
 static PRE_ALLOCATED_CTX: Lazy<Secp256k1<AllPreallocated<'static>>> =
     Lazy::new(|| {
-        let buf = unsafe { &mut PRE_ALLOCATED_CTX_BUF };
+        // SAFETY:
+        //
+        // This pre-allocated buffer safety depends on trusting libsecp256k1
+        // that it writes the context buffer only once for initialization and
+        // then only performs reads to it.
+        let buf = unsafe { &mut *ptr::addr_of_mut!(PRE_ALLOCATED_CTX_BUF) };
+
         Secp256k1::preallocated_new(buf)
             .expect("the pre-allocated context buf should have enough space")
     });

diff --git a/extmod/foundation-rust/src/ur/decoder.rs b/extmod/foundation-rust/src/ur/decoder.rs
@@ -3,7 +3,7 @@
 
 //! Decoder.
 
-use core::{fmt, slice, str};
+use core::{fmt, ptr, slice, str};
 
 use foundation_ur::{
     bytewords, bytewords::Style, decoder::Error, max_fragment_len,
@@ -246,7 +246,8 @@ pub unsafe extern "C" fn ur_decode_single_part(
         }
     };
 
-    let message = unsafe { &mut UR_DECODER_SINGLE_PART_MESSAGE };
+    let message =
+        unsafe { &mut *ptr::addr_of_mut!(UR_DECODER_SINGLE_PART_MESSAGE) };
     message.clear();
     message
         .resize(UR_DECODER_MAX_SINGLE_PART_MESSAGE_LEN, 0)

diff --git a/extmod/foundation-rust/src/ur/encoder.rs b/extmod/foundation-rust/src/ur/encoder.rs
@@ -3,7 +3,7 @@
 
 //! Encoder.
 
-use core::{ffi::c_char, fmt::Write};
+use core::{ffi::c_char, fmt::Write, ptr};
 
 use foundation_ur::{max_fragment_len, HeaplessEncoder};
 use minicbor::{Encode, Encoder};
@@ -106,7 +106,7 @@ pub unsafe extern "C" fn ur_encoder_start(
     let value = unsafe { value.to_value() };
 
     // SAFETY: This code assumes that runs on a single thread.
-    let message = unsafe { &mut UR_ENCODER_MESSAGE };
+    let message = unsafe { &mut *ptr::addr_of_mut!(UR_ENCODER_MESSAGE) };
 
     message.clear();
     let mut e = Encoder::new(Writer(message));
@@ -142,7 +142,7 @@ pub unsafe extern "C" fn ur_encoder_next_part(
 ) {
     let part = encoder.inner.next_part();
 
-    let buf = unsafe { &mut UR_ENCODER_STRING };
+    let buf = unsafe { &mut *ptr::addr_of_mut!(UR_ENCODER_STRING) };
     buf.clear();
     write!(buf, "{part}").unwrap();
     buf.push(b'\0').unwrap();

diff --git a/extmod/foundation-rust/src/ur/mod.rs b/extmod/foundation-rust/src/ur/mod.rs
@@ -3,7 +3,7 @@
 
 //! Uniform Resources.
 
-use core::{ffi::c_char, fmt, fmt::Write};
+use core::{ffi::c_char, fmt, fmt::Write, ptr};
 
 /// cbindgen:ignore
 #[used]
@@ -43,7 +43,7 @@ impl UR_Error {
     /// an invalid message. So the data pointed by `message` should be copied
     /// and `UR_Error` must be dropped.
     pub unsafe fn new(message: &dyn fmt::Display, kind: UR_ErrorKind) -> Self {
-        let error = &mut UR_ERROR;
+        let error = &mut *ptr::addr_of_mut!(UR_ERROR);
         error.clear();
 
         if write!(error, "{}", message).is_err() {