Unsound impl Debug for <union>
(in src/unix/linux_like/android/mod.rs
)
#3560
Labels
C-bug
Category: bug
Description of the soundness issue
c0b1ccf has added
pub union __c_anonymous_ifr_ifru
tosrc/unix/linux_like/android/mod.rs
, together withimpl ::fmt::Debug for __c_anonymous_ifr_ifru
- see:libc/src/unix/linux_like/android/mod.rs
Lines 990 to 1008 in 40741ba
The implementation of
Debug::fmt
seems unsound - when displaying a union where only 2 bytes have been initialized (e.g. when only thec_short
-sizedifru_flags
field has been initialized) thefmt
method will also try to access other (potentially uninitialized) bytes of a union (e.g. theifru_newname
field takes 16 bytes).The above
impl
seems unsound, because using the aboveimpl
, a safe Rust code can trigger Undefined Behavior:Steps to reproduce
Other notes
The pattern of using
unsafe
to display all fields may affectunion
s other than just__c_anonymous_ifr_ifru
. For example, theimpl Debug
for__c_anonymous_ifc_ifcu
follows a similar pattern, although in this case both fields have the same size. OTOH I haven't reviewed other cases that can be found by the following code search: https://github.com/search?q=repo%3Arust-lang%2Flibc+%2Ffield.*unsafe.*self%2F&type=codeAFAICT all fields of the union begin at offset 0 - the union seems to be
#[repr(C)]
although this is not obvious because that attribute is injected by thes_no_extra_traits
macro.This issue has been found during a security audit while updating
libc
to a newer version - see https://chromium-review.googlesource.com/c/chromium/src/+/5178771/comment/39aaef1c_033c399c/The text was updated successfully, but these errors were encountered: