Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read on uninitialized buffer may cause UB (4 functions) #2

Closed
JOE1994 opened this issue Jan 27, 2021 · 1 comment
Closed

Read on uninitialized buffer may cause UB (4 functions) #2

JOE1994 opened this issue Jan 27, 2021 · 1 comment

Comments

@JOE1994
Copy link

JOE1994 commented Jan 27, 2021

Hello 🦀,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.

Issue Description

messagepack-rs/messagepack-rs/src/deserializable.rs

Lines 59 to 71 in ceaf013

fn deserialize_binary<R: Read>(size: usize, buf_reader: &mut R) -> Result<Self, DeserializeError> {
let mut buf = Vec::with_capacity(size);
unsafe { buf.set_len(size); }
buf_reader.read_exact(&mut buf[..]).or(Err(DeserializeError::InvalidValue))?;
Ok(From::from(Binary(buf)))
}
fn deserialize_string<R: Read>(size: usize, buf_reader: &mut R) -> Result<Self, DeserializeError> {
let mut buf = Vec::with_capacity(size);
unsafe { buf.set_len(size); }
buf_reader.read_exact(&mut buf).or(Err(DeserializeError::InvalidValue))?;
Ok(From::from(String::from_utf8(buf).or(Err(DeserializeError::InvalidValue))?))
}

messagepack-rs/messagepack-rs/src/deserializable.rs

Lines 90 to 92 in ceaf013

unsafe { buf.set_len(buf.capacity()); }
buf_reader.read_exact(&mut buf[..]).or(Err(DeserializeError::InvalidValue))?;
String::from_utf8(buf).or(Err(DeserializeError::InvalidValue))

messagepack-rs/messagepack-rs/src/deserializable.rs

Lines 90 to 92 in ceaf013

unsafe { buf.set_len(buf.capacity()); }
buf_reader.read_exact(&mut buf[..]).or(Err(DeserializeError::InvalidValue))?;
String::from_utf8(buf).or(Err(DeserializeError::InvalidValue))

4 functions (deserializable::Deserializable::{deserialize_string, deserialize_extension_others, deserialize_map::deserialize_string_primitive}) create an uninitialized buffer and passes it to user-provided Read implementation. This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory).

This part from the Read trait documentation explains the issue:

It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit<T>) is not safe, and can lead to undefined behavior.

How to fix the issue?

The Naive & safe way to fix the issue is to always zero-initialize a buffer before lending it to a user-provided Read implementation. Note that this approach will add runtime performance overhead of zero-initializing the buffer.

As of Jan 2021, there is not yet an ideal fix that works in stable Rust with no performance overhead. Below are links to relevant discussions & suggestions for the fix.
@ammaraskar ammaraskar mentioned this issue Mar 26, 2021
Merged
@otake84
Copy link
Owner

otake84 commented Nov 25, 2021
edited
Loading

Sorry for the late reply.
I have responded with the following PR.
#3

@otake84 otake84 closed this as completed Nov 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@otake84 @JOE1994