Skip to content

Fix handling empty AllowedMechanisms attribute #324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix handling empty AllowedMechanisms attribute #324

wants to merge 2 commits into from

Conversation

@Jakuje
Copy link
Collaborator

@Jakuje Jakuje commented Nov 20, 2025

As returned by SoftHSM: softhsm/SoftHSMv2#825

Fixes: #323

@Jakuje Jakuje mentioned this pull request Nov 20, 2025
Open
@Jakuje Jakuje force-pushed the allowed-mechanism-attribute branch from 03f686d to a2ac816 Compare November 20, 2025 11:03
nwalfield
nwalfield reviewed Nov 20, 2025
View reviewed changes
@Jakuje Jakuje force-pushed the allowed-mechanism-attribute branch from a2ac816 to 32243e0 Compare November 20, 2025 11:19
@Jakuje
Copy link
Collaborator Author

Jakuje commented Nov 20, 2025

OTOH this could be considered a softhsm bug (or at least oddness) and as a rust-cryptoki, we might want to shield a users from such pkcs11-module-specific issues. But then we would have to filter this out early in get_attributes, which does not sound great either.

@Jakuje Jakuje requested review from hug-dev and wiktor-k November 20, 2025 11:23
@nwalfield
Copy link
Contributor

nwalfield commented Nov 20, 2025
edited
Loading

You already pointed out that at least two attributes can definitely be zero length. It thus seems like a bug in rust-cryptoki that it tries to allocate 0 bytes and expects to get a pointer that can be cast to a raw pointer and passed to std::slice::from_raw_parts:

Behavior is undefined if any of the following conditions are violated:

    data must be non-null, valid for reads for len * size_of::<T>() many bytes, and it must be properly aligned

@Jakuje Jakuje mentioned this pull request Nov 20, 2025
Open
neverpanic
neverpanic reviewed Nov 20, 2025
View reviewed changes
@wiktor-k
Copy link
Collaborator

wiktor-k commented Nov 20, 2025

You already pointed out that at least two attributes can definitely be zero length. It thus seems like a bug in rust-cryptoki that it tries to allocate 0 bytes and expects to get a pointer that can be cast to a raw pointer and passed to std::slice::from_raw_parts:

Behavior is undefined if any of the following conditions are violated:

    data must be non-null, valid for reads for len * size_of::<T>() many bytes, and it must be properly aligned

Validity rules for reads explicitly point out that:

For memory accesses of size zero, every pointer is valid, including the null pointer.

I'm okay with the change here, with a bit of docs around it, since at first sight it looks like a premature optimization 🤔

@nwalfield
Copy link
Contributor

nwalfield commented Nov 20, 2025

You already pointed out that at least two attributes can definitely be zero length. It thus seems like a bug in rust-cryptoki that it tries to allocate 0 bytes and expects to get a pointer that can be cast to a raw pointer and passed to std::slice::from_raw_parts:

Behavior is undefined if any of the following conditions are violated:

    data must be non-null, valid for reads for len * size_of::<T>() many bytes, and it must be properly aligned

Validity rules for reads explicitly point out that:

For memory accesses of size zero, every pointer is valid, including the null pointer.

I'm okay with the change here, with a bit of docs around it, since at first sight it looks like a premature optimization 🤔

That's not the only relevant thing. From slice::from_raw_parts:

data must be non-null and aligned even for zero-length slices or slices of ZSTs.

And that's the bug that we are seeing.

@Jakuje Jakuje force-pushed the allowed-mechanism-attribute branch from 32243e0 to 84339fb Compare November 20, 2025 14:13
neverpanic
neverpanic reviewed Nov 20, 2025
View reviewed changes
Copy link

@neverpanic neverpanic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo, rest lg2m.

@Jakuje
object: Avoid crashing on zero-length AllowedMechanisms attribute
d00c97d 
As returned by SoftHSM: softhsm/SoftHSMv2#825

Fixes: parallaxsecond#323

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
@Jakuje
tests: Reproducer for empty AllowedMechanisms issue with SoftHSM
0204b08 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
@Jakuje Jakuje force-pushed the allowed-mechanism-attribute branch from 84339fb to 0204b08 Compare November 20, 2025 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wiktor-k wiktor-k Awaiting requested review from wiktor-k

@hug-dev hug-dev Awaiting requested review from hug-dev

2 more reviewers

@neverpanic neverpanic neverpanic left review comments

@nwalfield nwalfield nwalfield left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Undefined behavior in CK_ATTRIBUTE::try_from or Session::get_attributes

4 participants

@Jakuje @nwalfield @wiktor-k @neverpanic