-
Notifications
You must be signed in to change notification settings - Fork 5
/
0062-cgc.rs
78 lines (64 loc) · 1.64 KB
/
0062-cgc.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
/*!
```rudra-poc
[target]
crate = "cgc"
version = "0.4.0"
[report]
issue_url = "https://github.com/playXE/cgc/issues/5"
issue_date = 2020-12-10
rustsec_url = "https://github.com/RustSec/advisory-db/pull/839"
rustsec_id = "RUSTSEC-2020-0148"
[[bugs]]
analyzer = "SendSyncVariance"
bug_class = "SendSyncVariance"
bug_count = 2
rudra_report_locations = ["src/mem.rs:829:1: 829:34", "src/mem.rs:830:1: 830:34"]
[[bugs]]
analyzer = "Manual"
guide = "SendSyncVariance"
bug_class = "Other"
bug_count = 2
rudra_report_locations = []
```
!*/
#![forbid(unsafe_code)]
use cgc::mem::Ptr;
use std::rc::Rc;
fn wild_sync() {
// 1. Wild Send and Sync
let rc = Rc::new(42);
let ptr = Ptr::new(rc.clone());
std::thread::spawn(move || {
let smuggled_rc = ptr.take();
println!("Thread: {:p}", smuggled_rc);
for _ in 0..100_000_000 {
smuggled_rc.clone();
}
});
println!("Main: {:p}", rc);
for _ in 0..100_000_000 {
rc.clone();
}
}
// A simple tagged union used to demonstrate problems with aliasing.
#[derive(Debug, Clone, Copy)]
enum RefOrInt {
Ref(&'static u64),
Int(u64),
}
fn aliasing() {
// 2. Aliasing violation
let ptr = Ptr::new(RefOrInt::Ref(&42));
let mutable_ref_one = ptr.get();
let mutable_ref_two = ptr.get();
println!("Pointer points to: {:?}", mutable_ref_one);
if let RefOrInt::Ref(ref addr) = mutable_ref_one {
*mutable_ref_two = RefOrInt::Int(0xdeadbeef);
println!("Pointer now points to: {:p}", *addr);
println!("Dereferencing addr will now segfault: {}", **addr);
}
}
fn main() {
//wild_sync();
//aliasing();
}