Soundness Bug in stable::Deflate::new

[lewismosciski]

Hi there!

We scanned the most popular libraries on crates.io and found some memory safety bugs in this library.

PoC

use zlib_rs::Deflate;

fn main() {
    let mut d1 = Deflate::new(6, true, 15);
    drop(d1);
    let mut d2 = Deflate::new(6, false, 15);
    drop(d2);
}

Miri Output

error: Undefined Behavior: deallocation through <619> (root of the allocation) at alloc460[0x0] is forbidden
   --> /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/zlib-rs/0.6.3/zlib-rs-0.6.3/src/allocate.rs:185:14
    |
185 |     unsafe { std::alloc::dealloc(ptr.cast(), layout) };
    |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Tree Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/tree-borrows.md for further information
    = help: the accessed tag <619> (root of the allocation) is foreign to the protected tag <3223807> (i.e., it is not a child)
    = help: this deallocation (acting as a foreign write access) would cause the protected tag <3223807> (currently Reserved) to become Disabled
    = help: protected tags must never be Disabled
help: the accessed tag <619> was created here
   --> src/main.rs:11:18
    |
 11 |     let mut d1 = Deflate::new(6, true, 15);
    |                  ^^^^^^^^^^^^^^^^^^^^^^^^^
help: the protected tag <3223807> was created here, in the initial state Reserved
   --> src/main.rs:12:5
    |
 12 |     drop(d1);
    |     ^^^^^^^^
    = note: BACKTRACE (of the first span):
    = note: inside `zlib_rs::allocate::zfree_rust` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/zlib-rs/0.6.3/zlib-rs-0.6.3/src/allocate.rs:185:14: 185:53
    = note: inside `zlib_rs::allocate::Allocator::<'_>::deallocate::<u8>` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/zlib-rs/0.6.3/zlib-rs-0.6.3/src/allocate.rs:390:33: 390:97
    = note: inside `zlib_rs::deflate::end` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/zlib-rs/0.6.3/zlib-rs-0.6.3/src/deflate.rs:731:14: 731:80
    = note: inside `<zlib_rs::Deflate as std::ops::Drop>::drop` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/zlib-rs/0.6.3/zlib-rs-0.6.3/src/stable.rs:347:17: 347:53
    = note: inside `std::ptr::drop_in_place::<zlib_rs::Deflate> - shim(Some(zlib_rs::Deflate))` at /home/ccuu/.rustup/toolchains/nightly-2025-10-09-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804:1: 804:62
    = note: inside `std::mem::drop::<zlib_rs::Deflate>` at /home/ccuu/.rustup/toolchains/nightly-2025-10-09-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:962:24: 962:25
note: inside `main`
   --> src/main.rs:12:5
    |
 12 |     drop(d1);
    |     ^^^^^^^^

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to 1 previous error

[bjorn3]

Have you tried with tree borrows? Custom allocators interact poorly with stacked borrows.

zlib-rs/.github/workflows/checks.yaml

Line 603 in e8f07df

MIRIFLAGS: "-Zmiri-tree-borrows -Zmiri-disable-isolation"

[folkertdev]

It reproduces with tree borrows actually

> cat test-libz-rs-sys/examples/ub.rs
use zlib_rs::Deflate;

fn main() {
    let d1 = Deflate::new(6, true, 15);
    drop(d1);
    dbg!("done");
}

> MIRIFLAGS="-Zmiri-tree-borrows -Zmiri-disable-isolation" cargo +nightly miri run --example ub

error: Undefined Behavior: deallocation through <591> (root of the allocation) at alloc423[0x0] is forbidden
   --> zlib-rs/src/allocate.rs:185:14
    |
185 |     unsafe { std::alloc::dealloc(ptr.cast(), layout) };
    |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Tree Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/tree-borrows.md for further information
    = help: the accessed tag <591> (root of the allocation) is foreign to the protected tag <12476> (i.e., it is not a child)
    = help: this deallocation (acting as a foreign write access) would cause the protected tag <12476> (currently Reserved) to become Disabled
    = help: protected tags must never be Disabled
help: the accessed tag <591> was created here
   --> zlib-rs/src/allocate.rs:123:24
    |
123 |     let ptr = unsafe { std::alloc::alloc(layout) };
    |                        ^^^^^^^^^^^^^^^^^^^^^^^^^
help: the protected tag <12476> was created here, in the initial state Reserved
   --> test-libz-rs-sys/examples/ub.rs:5:5
    |
  5 |     drop(d1);
    |     ^^^^^^^^
    = note: stack backtrace:
            0: zlib_rs::allocate::zfree_rust
                at zlib-rs/src/allocate.rs:185:14: 185:53
            1: zlib_rs::allocate::Allocator::<'_>::deallocate::<u8>
                at zlib-rs/src/allocate.rs:390:33: 390:97
            2: zlib_rs::deflate::end
                at zlib-rs/src/deflate.rs:731:14: 731:80
            3: <zlib_rs::Deflate as std::ops::Drop>::drop
                at zlib-rs/src/stable.rs:347:17: 347:53
            4: std::ptr::drop_in_place::<zlib_rs::Deflate> - shim(Some(zlib_rs::Deflate))
                at /home/folkertdev/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:809:1: 811:25
            5: std::mem::drop::<zlib_rs::Deflate>
                at /home/folkertdev/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:975:1: 975:2
            6: main
                at test-libz-rs-sys/examples/ub.rs:5:5: 5:13

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to 1 previous error; 1 warning emitted

I'm thinking its some sort of pointer provenance thing? Haven't quite been able to figure it out though.

[bjorn3]

When dropping Deflate, this borrows self.inner (of type DeflateStream) and passes it to crate::deflate::end. This produces a protector preventing deallocation of the DeflateStream. A protector is also added for all references contained within DeflateStream, among which is the state field (of type &mut DeflateState) crate::deflate::end then deallocates the memory that stores the DeflateState. This is UB as the protector for the &mut DeflateState is still active at this point. It doesn't get deactivated until crate::deflate::end returns. A fix would probably changing &mut DeflateState to NonNull<DeflateState>.

[folkertdev]

Hmm, so should we use z_stream inside of Deflate/Inflate instead?

[bjorn3]

If Rust ends up requiring recursive pointer validity, deflateEnd would still have the same issue. I did rather change the state field to NonNull<DeflateState> and have DeflateStream::state() and DeflateStream::state_mut() encapsulate the unsafeness.