Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maybe unsound in RLocal::new #653

Open
lwz23 opened this issue Dec 10, 2024 · 3 comments
Open

Maybe unsound in RLocal::new #653

lwz23 opened this issue Dec 10, 2024 · 3 comments

Comments

@lwz23
Copy link

lwz23 commented Dec 10, 2024

Hello, thank you for your contribution in this project, I am scanning the unsoundness problem in rust project.
I notice the following code:

pub struct RLocal<T: Copy> {
    old_value: T,
    variable: *mut T,
}

impl<T> RLocal<T>
where
    T: Copy,
{
    pub fn new(new_value: T, variable: *mut T) -> RLocal<T> {
        unsafe {
            let old_value = libr::get(variable);
            libr::set(variable, new_value);

            Self {
                old_value,
                variable,
            }
        }
    }
}

Considering that pub mod raii, and new is also a pub function. I assume that users can directly call this function. This potential situation could result in libr::get being called to a null pointer, and might trigger undefined behavior (UB). For safety reasons, I felt it necessary to report this issue. If you have performed checks elsewhere that ensure this is safe, please don’t take offense at my raising this issue.
I suggest Several possible fixes:

  1. If there is no external usage for RLocal or new, they should not marked as pub, at least its new should not marked as pub
  2. new method should add additional check for null pointer.
  3. mark new method as unsafe and proper doc to let users know that they should provide valid Pointers.
@lionel-
Copy link
Contributor

lionel- commented Dec 12, 2024

It's really an internal function from an internal crate (neither are meant to be used in other projects). We can make it pub(crate) for clarity.

@lwz23
Copy link
Author

lwz23 commented Dec 23, 2024
edited
Loading

Thanks for your reply, I think maybe same problem for

ark/crates/harp/src/vector/list.rs

Line 65 in a569d6e

unsafe { *self.ptr.wrapping_add(index as usize) }
, the index ptr offset is not been varify.
and

ark/crates/ark/src/sys/unix/console.rs

Line 13 in a569d6e

pub fn console_to_utf8(x: *const c_char) -> anyhow::Result<String> {

ark/crates/ark/src/sys/windows/console.rs

Line 37 in a569d6e

let x = unsafe { CStr::from_ptr(x) };

ark/crates/harp/src/table.rs

Line 162 in 1366044

pub fn get_unchecked(&self, index: isize) -> Option<String> {

I understand that these functions are not intended for external use, but in that case it might be more appropriate to declare them as pub(crate). This will ensure that future projects on these modules will not cause possible unsound problems, thank you!

@lionel-
Copy link
Contributor

lionel- commented Jan 6, 2025

Note that we have cross-crate internal dependencies too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lionel- @lwz23