-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy path0008-arr.rs
91 lines (79 loc) · 2.67 KB
/
0008-arr.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
/*!
```rudra-poc
[target]
crate = "arr"
version = "0.6.0"
[[target.peer]]
crate = "crossbeam-utils"
version = "0.7.2"
[test]
cargo_flags = ["--release"]
cargo_toolchain = "nightly"
[report]
issue_url = "https://github.com/sjep/array/issues/1"
issue_date = 2020-08-25
rustsec_url = "https://github.com/RustSec/advisory-db/pull/364"
rustsec_id = "RUSTSEC-2020-0034"
[[bugs]]
analyzer = "Manual"
guide = "UnsafeDestructor"
bug_class = "Other"
bug_count = 3
rudra_report_locations = []
[[bugs]]
analyzer = "SendSyncVariance"
bug_class = "SendSyncVariance"
bug_count = 2
rudra_report_locations = ["src/lib.rs:47:1: 47:35", "src/lib.rs:46:1: 46:35"]
```
!*/
#![forbid(unsafe_code)]
use arr::Array;
use crossbeam_utils::thread;
use std::rc::Rc;
use std::sync::atomic::{AtomicUsize, Ordering};
static drop_cnt: AtomicUsize = AtomicUsize::new(0);
#[derive(Clone)]
struct DropDetector(u32);
impl Drop for DropDetector {
fn drop(&mut self) {
drop_cnt.fetch_add(1, Ordering::Relaxed);
println!("Dropping {}", self.0);
}
}
fn main() {
{
// https://github.com/sjep/array/blob/efa214159eaad2abda7b072f278d678f8788c307/src/lib.rs#L46-L47
// 1. Incorrect Sync/Send bounds for `Array` allows to smuggle non-Sync/Send types across the thread boundary
let rc = Rc::new(0usize);
let arr = Array::new_from_template(1, &rc);
let arr_handle = &arr;
let rc_identity1 = Rc::as_ptr(&rc) as usize;
let rc_identity2 = thread::scope(|s| {
s.spawn(|_| {
// shouldn't be allowed!
println!("1. Cloning Rc in a different thread");
let another_rc: Rc<usize> = arr_handle[0].clone();
Rc::as_ptr(&another_rc) as usize
})
.join()
.unwrap()
})
.unwrap();
assert_eq!(rc_identity1, rc_identity2);
}
{
// https://github.com/sjep/array/blob/efa214159eaad2abda7b072f278d678f8788c307/src/lib.rs#L129-L148
// 2. `Index` and `IndexMut` does not check the bound
let arr = Array::<usize>::zero(1);
println!("2. OOB read: {}", arr[10]);
}
{
// https://github.com/sjep/array/blob/efa214159eaad2abda7b072f278d678f8788c307/src/lib.rs#L111-L127
// https://github.com/sjep/array/blob/efa214159eaad2abda7b072f278d678f8788c307/src/lib.rs#L165-L174
// 3. `Array::new_from_template()` drops uninitialized memory because of `*ptr = value` pattern.
// It also leaks memory since it doesn't call `drop_in_place()` in `drop()`.
println!("3. Uninitialized drop / memory leak in `new_from_template()`");
let _ = Array::new_from_template(1, &DropDetector(12345));
}
}