Unsoundness: VolatileMemory should be unsafe, private, or sealed because it relies on get_slice in unsafe code

[Manishearth]

vm-memory/src/volatile_memory.rs

Lines 110 to 112 in 06ebc2a

	/// Returns a [`VolatileSlice`](struct.VolatileSlice.html) of `count` bytes starting at
	/// `offset`.
	fn get_slice(&self, offset: usize, count: usize) -> Result<VolatileSlice<BS<Self::B>>>;

The behavior of this trait method is relied upon in multiple places in unsafe code, e.g:

vm-memory/src/volatile_memory.rs

Lines 122 to 123 in 06ebc2a

	// SAFETY: This is safe because the pointer is range-checked by get_slice, and
	// the lifetime is the same as self.

A user of this library implementing VolatileMemory could cause unsoundness by writing an incorrect implementation of VolatileMemory::get_slice(). This means that it should be an unsafe trait (or private/sealed) with the safety requirements for implementors documented on the trait.

[roypat]

Thank you for bringing your security concerns to our attention! We will investigate these immediately and follow up with you within 5 business days to provide a status.

If you have any further questions or concerns, please do not hesitate to contact us according to the rust-vmm security disclosure policy.

Thanks again!

[Manishearth]

Thanks! I'm not in a rush.

(I did consider using the security policy but didn't in the end since this is basically "someone can cause UB if they use your library weirdly" which is bad from a rust unsafe model perspective but basically ok from a security perspective.)

[roypat]

Hello @Manishearth,
we have fixed the issue in #251 and published vm-memory 0.12.2 to crates.io. We will also go through the process of filing a RustSec advisory for affected versions. Thank you again for reporting this issue!