Undefined Behavior in Vec::insert if passed an index outside of its capacity #122760

jwong101 · 2024-03-20T03:46:56Z

I tried this code:

vec![].insert(usize::MAX, usize::MAX);

I expected to see this happen:
The program should panic, but not have any undefined behavior.

Instead, this happened:
Miri reports that the program triggers undefined behavior.

MIRI Backtrace

   Compiling playground v0.0.1 (/playground)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.51s
     Running `/playground/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/bin/cargo-miri runner target/miri/x86_64-unknown-linux-gnu/debug/playground`
error: Undefined Behavior: out-of-bounds pointer arithmetic: alloc1582 has size 32, so pointer to 8 bytes starting at offset -8 is out-of-bounds
    --> /playground/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:1554:25
     |
1554 |                 let p = self.as_mut_ptr().add(index);
     |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ out-of-bounds pointer arithmetic: alloc1582 has size 32, so pointer to 8 bytes starting at offset -8 is out-of-bounds
     |
     = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
     = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
help: alloc1582 was allocated here:
    --> src/main.rs:2:5
     |
2    |     vec![].insert(usize::MAX, usize::MAX);
     |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     = note: BACKTRACE (of the first span):
     = note: inside `std::vec::Vec::<usize>::insert` at /playground/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:1554:25: 1554:53
note: inside `main`
    --> src/main.rs:2:5
     |
2    |     vec![].insert(usize::MAX, usize::MAX);
     |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to 1 previous error

Meta

It seems like the issue is here:

rust/library/alloc/src/vec/mod.rs

Lines 1554 to 1563 in a77c20c

    
           let p = self.as_mut_ptr().add(index); 
        
           if index < len { 
        
               // Shift everything over to make space. (Duplicating the 
        
               // `index`th element into two consecutive places.) 
        
               ptr::copy(p, p.add(1), len - index); 
        
           } else if index == len { 
        
               // No elements need shifting. 
        
           } else { 
        
               assert_failed(index, len); 
        
           }

The length check needs to happen before the computation of ptr::add, since it's undefined behavior if the new pointer is out of bounds of the allocation or overflows the address space.

rustc --version --verbose:

rustc 1.79.0-nightly (a7e4de13c 2024-03-19)

The text was updated successfully, but these errors were encountered:

…ng-usize-max, r=Nilstrieb Add `usize::MAX` arg tests for Vec Tests to prevent recurrence of the UB from the rust-lang#122760 issue. I skipped the `with_capacity`, `drain`, `reserve`, etc. APIs because they actually had a good assortment of tests earlier in the same file. r? Nilstrieb

…jubilee,Nilstrieb fix OOB pointer formed in Vec::index Move the length check to before using `index` with `ptr::add` to prevent an out of bounds pointer from being formed. Fixes rust-lang#122760

…ng-usize-max, r=Nilstrieb Add `usize::MAX` arg tests for Vec Tests to prevent recurrence of the UB from the rust-lang#122760 issue. I skipped the `with_capacity`, `drain`, `reserve`, etc. APIs because they actually had a good assortment of tests earlier in the same file. r? Nilstrieb

…bilee,Nilstrieb fix OOB pointer formed in Vec::index Move the length check to before using `index` with `ptr::add` to prevent an out of bounds pointer from being formed. Fixes rust-lang#122760

…ng-usize-max, r=Nilstrieb Add `usize::MAX` arg tests for Vec Tests to prevent recurrence of the UB from the rust-lang#122760 issue. I skipped the `with_capacity`, `drain`, `reserve`, etc. APIs because they actually had a good assortment of tests earlier in the same file. r? Nilstrieb

Rollup merge of rust-lang#122765 - workingjubilee:test-for-vec-handling-usize-max, r=Nilstrieb Add `usize::MAX` arg tests for Vec Tests to prevent recurrence of the UB from the rust-lang#122760 issue. I skipped the `with_capacity`, `drain`, `reserve`, etc. APIs because they actually had a good assortment of tests earlier in the same file. r? Nilstrieb

jwong101 added the C-bug Category: This is a bug. label Mar 20, 2024

rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Mar 20, 2024

jwong101 mentioned this issue Mar 20, 2024

fix OOB pointer formed in Vec::index #122761

Merged

jwong101 changed the title ~~Undefined Behavior in Vec::insert if passed an index outside of it's capacity~~ Undefined Behavior in Vec::insert if passed an index outside of its capacity Mar 20, 2024

rustbot added the I-prioritize Issue: Indicates that prioritization has been requested for this issue. label Mar 20, 2024

workingjubilee mentioned this issue Mar 20, 2024

Add usize::MAX arg tests for Vec #122765

Merged

apiraino removed the I-prioritize Issue: Indicates that prioritization has been requested for this issue. label Mar 20, 2024

bors closed this as completed in 37718f9 Mar 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Undefined Behavior in Vec::insert if passed an index outside of its capacity #122760

Undefined Behavior in Vec::insert if passed an index outside of its capacity #122760

jwong101 commented Mar 20, 2024

Undefined Behavior in Vec::insert if passed an index outside of its capacity #122760

Undefined Behavior in Vec::insert if passed an index outside of its capacity #122760

Comments

jwong101 commented Mar 20, 2024

Meta