Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cell::Ref::clone not hardened against "optimized mem::forget in a loop" attacks. #33880

Closed
eddyb opened this issue May 26, 2016 · 0 comments
Closed

cell::Ref::clone not hardened against "optimized mem::forget in a loop" attacks. #33880

eddyb opened this issue May 26, 2016 · 0 comments
Labels
E-easy Call for participation: Easy difficulty. Experience needed to fix: Not much. Good first issue.

Comments

@eddyb
Copy link
Member

eddyb commented May 26, 2016

Check out in Release mode on playpen:

#![feature(cell_extras)]
use std::cell::{RefCell, Ref};
use std::mem;
use std::usize;

fn main() {
    let ref_cell = RefCell::new(vec![1, 2, 3]);
    let r = ref_cell.borrow();
    let mut i = 0;
    while i < usize::MAX {
        mem::forget(Ref::clone(&r));
        i += 1;
    }
    ref_cell.borrow_mut().push(r[0]);
}

This succeeds (when compiled with optimizations) despite having both a Ref and a RefMut.
RefCell::borrow is safe from this because at usize::MAX it believes it's mutably borrowed and panics.

There's a debug_assert!(borrow != WRITING && borrow != UNUSED); line in src/libcore/cell.rs which would catch this with debug assertions enabled, I believe it should be an assert! (Ref::clone is unstable and likely not performance critical anyway).

cc @ubsan @alexcrichton
@eddyb eddyb added A-libs E-easy Call for participation: Easy difficulty. Experience needed to fix: Not much. Good first issue. labels May 26, 2016
@alexcrichton alexcrichton mentioned this issue May 26, 2016
Closed
tbu- added a commit to tbu-/rust that referenced this issue May 30, 2016
@tbu-
Prevent the borrow counter from overflowing in Ref::clone
ef60c7c 
Fixes rust-lang#33880.
@tbu- tbu- mentioned this issue May 30, 2016
Merged
bors added a commit that referenced this issue May 31, 2016
@bors
Auto merge of #33960 - tbu-:pr_ref_clone_overflow, r=Aatch
298730e 
Prevent the borrow counter from overflowing in `Ref::clone`

Fixes #33880.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
E-easy Call for participation: Easy difficulty. Experience needed to fix: Not much. Good first issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eddyb