-
-
Notifications
You must be signed in to change notification settings - Fork 203
Open
Description
Hi, thanks for maintaining russh-cryptovec.
Our analysis tool reports an Undefined Behavior triggered by calling CryptoVec::resize within safe Rust. CryptoVec::resize_mut is also affected.
Simple PoC
#[test]
fn test_210() {
let mut _local0 = russh_cryptovec::CryptoVec::new();
let _ = russh_cryptovec::CryptoVec::resize(&mut _local0, 0);
}Condensed Miri Report
error: Undefined Behavior: pointer not dereferenceable: pointer must point to some allocation, but got 0x1[noalloc] which is a dangling pointer (it has no provenance)
--> russh-cryptovec-0.52.0/src/platform/unix.rs:32:9
|
32 | nix::libc::memset(ptr as *mut c_void, value, size);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
= note: BACKTRACE on thread `kani_test_210`:
= note: inside `russh_cryptovec::platform::unix::memset` at russh-cryptovec-0.52.0/src/platform/unix.rs:32:9: 32:59
= note: inside `russh_cryptovec::CryptoVec::resize` at russh-cryptovec-0.52.0/src/cryptovec.rs:216:17: 216:62If resize(0) is intended to be supported, would you consider adding a small guard to avoid calling memset/FFI when size == 0 ? That would likely keep semantics unchanged while fixing the soundness problem. Your confirmation would be highly appreciated.
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels