-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ComponentBytes is unsound #35
Comments
Thanks for reporting this. I suspected it's dodgy to rely just on I've changed it to require |
I plan to release it with the same semver version. It is technically breaking, but it affects only a special case of using a combination of custom wrapper type and |
The unsoundness of inspecting arbitrary uninitialized padding exists in every version since Also, seriously consider (for more than one day) publicly depending on a pre- And lasty, consider having a full PR with discussion of the soundness fix because I'm not convinced it is fully fixed based on the commit itself and requiring another potentially breaking interface change will be more devastating. |
I have bumped the version a few times in the past when the crate was used just by me, but now it has enough users (including major projects that are not public) that version bump would be disruptive. I have missed the boat in calling it 1.0 sooner. At this point if I release 1.0, it will be just an empty crate re-exporting 0.8. That could be another chance to improve the as_bytes trait. |
So after a good bunch of consideration, I think I've come to terms with the breaking change at some point. At the very least it will actively flag potential UB in dependents even if it introduces some breakage. We sadly don't have There is a potential alternative, step-by-step plan: First add a deprecation marker for the whole trait, and instead of replacing it add a new one. Then you could at a later release, after hopefully some dependencies that used it have taken note, change the method implementations to panic (this is a sound implementation with no risk of UB anymore but keeps the interface), and only then in yet another release remove it. You of course don't have to take that whole marathon but maybe it provides some fresh consideration for managing this situation. |
Fixed in 0.8.20 |
This issue (https://rustsec.org/advisories/RUSTSEC-2020-0029.html) has been assigned CVE-2020-25016 |
The trait assumes that an arbitrary type
T: Copy + 'static
can be viewed (and even modified!) as a byte slice. That is super unsound. Here's an example of causing UB with it:The text was updated successfully, but these errors were encountered: