Skip to content

'read()' on uninitialized memory may cause undefined behavior #460

New issue
New issue
Open
Open
'read()' on uninitialized memory may cause undefined behavior#460
@JOE1994

Description

@JOE1994
JOE1994
opened on Jan 3, 2021

Hello 🦀 ,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.

Issue Description

We found four cases where an uninitialized buffer is created and then passed to a user-provided Read implementation.
This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory).
This part from the Read trait documentation explains the issue:

It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit) is not safe, and can lead to undefined behavior.

binjs-ref/crates/binjs_io/src/bytes/compress.rs

Lines 243 to 245 in 4261ca2

let mut compressed_bytes = Vec::with_capacity(byte_len as usize);
unsafe { compressed_bytes.set_len(byte_len as usize) };
inp.read_exact(&mut compressed_bytes)?;

binjs-ref/crates/binjs_io/src/util.rs

Lines 77 to 81 in 4261ca2

let mut buf = Vec::with_capacity(data.len());
unsafe {
buf.set_len(data.len());
}
let bytes = self.read(&mut buf)?;

binjs-ref/crates/binjs_io/src/multipart/read.rs

Lines 26 to 39 in 4261ca2

/// Deserialize a bunch of bytes into itself.
struct BufDeserializer;
impl Deserializer for BufDeserializer {
type Target = Vec<u8>;
fn read<R: Read + Seek>(&self, reader: &mut R) -> Result<Self::Target, std::io::Error> {
let size = reader.size();
let mut buf = Vec::with_capacity(size);
unsafe {
buf.set_len(size);
}
reader.read_exact(&mut buf)?;
Ok(buf)
}
}

binjs-ref/crates/binjs_io/src/multipart/read.rs

Lines 42 to 50 in 4261ca2

impl Deserializer for Option<SharedString> {
type Target = Self;
fn read<R: Read>(&self, inp: &mut R) -> Result<Self, std::io::Error> {
let byte_len = inp.read_varnum()?;
let mut bytes = Vec::with_capacity(byte_len as usize);
unsafe {
bytes.set_len(byte_len as usize);
}
inp.read_exact(&mut bytes)?;

Suggested Fix

It is safe to zero-initialize the newly allocated u8 buffer before read(), in order to prevent user-provided Read from accessing old contents of the newly allocated heap memory.

Thank you for checking out this issue 👍

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions