Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] owning_ref vulnerability #678

Open
DJDuque opened this issue Sep 25, 2022 · 7 comments
Open

[BUG] owning_ref vulnerability #678

DJDuque opened this issue Sep 25, 2022 · 7 comments
Labels
bug

Comments

@DJDuque
Copy link
Contributor

DJDuque commented Sep 25, 2022

cursive-core uses owning-ref crate, which has a couple of issues as described here: https://github.com/noamtashma/owning-ref-unsoundness

The maintainer of owning_ref seems unresponsive, and I was wondering if there are any plans to move away from having this crate as a dependency? Is Cursive affected by the unsound api of owning_ref?
@DJDuque DJDuque added the bug label Sep 25, 2022
@gyscos
Copy link
Owner

gyscos commented Sep 26, 2022
edited
Loading

Hi,

I don't think we use the affected API directly form cursive. We do re-export a OwningHandle type, so users could possibly call the unsound APIs themselves on this, but that's not exactly something we can do anything about (and its' not a usage we even mention).

If a more supported alternative exists (or if/when the same simple use-case we need can be handled without unsafe), I could absolutely consider switching.

@dbrgn
Copy link
Contributor

dbrgn commented Sep 27, 2022

More details here: https://rustsec.org/advisories/RUSTSEC-2022-0040

@gyscos
Copy link
Owner

gyscos commented Sep 29, 2022
edited
Loading

What we want is Arc/Rc projection. Here's a thread from last year about it (also mentioning owning-ref, and its soundness issues): https://internals.rust-lang.org/t/field-projection-for-rc-and-arc/15827

For some restricted use-cases of common combinations (Rc<RefCell<T>> and Arc<Mutex<T>>), it should be possible to have a safe API - which is exactly what owning-ref does (only owning-ref also adds other less safe APIs). Something like shared-rc (though that particular crate is still very new).

yoke might also be an interesting replacement.

@alexanderkjall
Copy link
Contributor

shared-rc looks promising

@gyscos gyscos mentioned this issue Mar 27, 2023
Closed
@gyscos
Copy link
Owner

gyscos commented Jan 2, 2024
edited
Loading

After toying with ouroboros, I ended up using parking_lot and its ArcMutexGuard, which looks exactly like what we need: a popular, maintained crate with a specific-purpose implementation avoiding most of the pitfalls from general-purpose self-referencing libs.

  • yoke is mostly focused on zero-copy deserialization, and it shows in the Yokeable trait, which is not implemented for anything close to a mutex.
  • self_cell looked promising but does not support generics (we need to be generic on V: View).
  • ouroboros was interesting but did not support DerefMut<Target = V> for soundness reason in the general case, which would have broken the current API.
  • guardian looked like it could be a fit, but with no dependent and low usage, it felt a bit risky.

@hrkfdn hrkfdn mentioned this issue Jan 13, 2024
Open
@TobiPeterG
Copy link

Would it be possible to just switch to https://crates.io/crates/safer_owning_ref?
It's owning_ref but with the security issue fixed :)

@gyscos
Copy link
Owner

gyscos commented Mar 27, 2024

In my previous post I mentioned switching to parking_lot, but apparently I only did that for NamedView - the main use of owning_ref I had.

Turns out there was another use of it in TextView, but here it was entirely useless. I have now removed owning_ref entirely from the dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dbrgn @gyscos @alexanderkjall @TobiPeterG @DJDuque