Skip to content

PathBuf incorrectly transmutes OsString to Vec<u8> #124409

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
RalfJung opened this issue Apr 26, 2024 · 0 comments · Fixed by #124410
Closed

PathBuf incorrectly transmutes OsString to Vec<u8> #124409

RalfJung opened this issue Apr 26, 2024 · 0 comments · Fixed by #124410
Labels
C-bug Category: This is a bug. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Comments

@RalfJung
Copy link
Member

RalfJung commented Apr 26, 2024
edited by Noratrieb
Loading

PathBuf contains this gem:

rust/library/std/src/path.rs

Lines 1172 to 1175 in f56afa0

#[inline]
fn as_mut_vec(&mut self) -> &mut Vec<u8> {
unsafe { &mut *(self as *mut PathBuf as *mut Vec<u8>) }
}

This effectively transmutes an OsString to Vec<u8>. But on Windows, OsString is Wtf8Buf:

rust/library/std/src/sys_common/wtf8.rs

Lines 131 to 146 in 51a7396

/// An owned, growable string of well-formed WTF-8 data.
///
/// Similar to `String`, but can additionally contain surrogate code points
/// if they’re not in a surrogate pair.
#[derive(Eq, PartialEq, Ord, PartialOrd, Clone)]
pub struct Wtf8Buf {
bytes: Vec<u8>,
/// Do we know that `bytes` holds a valid UTF-8 encoding? We can easily
/// know this if we're constructed from a `String` or `&str`.
///
/// It is possible for `bytes` to have valid UTF-8 without this being
/// set, such as when we're concatenating `&Wtf8`'s and surrogates become
/// paired, as we don't bother to rescan the entire string.
is_known_utf8: bool,
}

This is not repr(transparent), so there is no guarantee that we can just transmute this. And I think with layout randomization this can actually fail -- that's probably what happened here.

Is there a reason why this uses transmutes rather than some sort of private accessor that exposes a *mut Vec<u8> through all these layers?
@rustbot rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Apr 26, 2024
This was referenced Apr 26, 2024
Merged
Merged
bors added a commit to rust-lang/miri that referenced this issue Apr 26, 2024
@bors
Auto merge of #3516 - RalfJung:pathbuf, r=RalfJung
ec28d38 
add smoke tests for basic PathBuf interactions

I wrote these while debugging [this](https://github.com/rust-lang/miri-test-libstd/actions/runs/8849912635/job/24302962983); it turns out the issue is [more complicated](rust-lang/rust#124409) but these tests still seemed worth keeping.
This was referenced Apr 26, 2024
Merged
Merged
@Noratrieb Noratrieb added C-bug Category: This is a bug. T-libs Relevant to the library team, which will review and decide on the PR/issue. and removed needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. labels Apr 26, 2024
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Apr 26, 2024
@matthiaskrgr
Rollup merge of rust-lang#124410 - RalfJung:path-buf-transmute, r=Nil…
75dd501 
…strieb

PathBuf: replace transmuting by accessor functions

The existing `repr(transparent)` was anyway insufficient as `OsString` was not `repr(transparent)`. And furthermore, on Windows it was blatantly wrong as `OsString` wraps `Wtf8Buf` which is a `repr(Rust)` type with 2 fields:

https://github.com/rust-lang/rust/blob/51a7396ad3d78d9326ee1537b9ff29ab3919556f/library/std/src/sys_common/wtf8.rs#L131-L146

So let's just be honest about what happens and add accessor methods that make this abstraction-breaking act of PathBuf visible on the APIs that it pierces through.

Fixes rust-lang#124409
@bors bors closed this as completed in 7cbba53 Apr 27, 2024
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Apr 27, 2024
@rust-timer
Unrolled build for rust-lang#124410
21d7a1f 
Rollup merge of rust-lang#124410 - RalfJung:path-buf-transmute, r=Nilstrieb

PathBuf: replace transmuting by accessor functions

The existing `repr(transparent)` was anyway insufficient as `OsString` was not `repr(transparent)`. And furthermore, on Windows it was blatantly wrong as `OsString` wraps `Wtf8Buf` which is a `repr(Rust)` type with 2 fields:

https://github.com/rust-lang/rust/blob/51a7396ad3d78d9326ee1537b9ff29ab3919556f/library/std/src/sys_common/wtf8.rs#L131-L146

So let's just be honest about what happens and add accessor methods that make this abstraction-breaking act of PathBuf visible on the APIs that it pierces through.

Fixes rust-lang#124409
RalfJung pushed a commit to RalfJung/rust that referenced this issue Apr 27, 2024
@bors
Auto merge of rust-lang#3516 - RalfJung:pathbuf, r=RalfJung
d7c89cf 
add smoke tests for basic PathBuf interactions

I wrote these while debugging [this](https://github.com/rust-lang/miri-test-libstd/actions/runs/8849912635/job/24302962983); it turns out the issue is [more complicated](rust-lang#124409) but these tests still seemed worth keeping.
RalfJung pushed a commit to RalfJung/rust that referenced this issue Apr 27, 2024
@bors
Auto merge of rust-lang#3516 - RalfJung:pathbuf, r=RalfJung
ca6252c 
add smoke tests for basic PathBuf interactions

I wrote these while debugging [this](https://github.com/rust-lang/miri-test-libstd/actions/runs/8849912635/job/24302962983); it turns out the issue is [more complicated](rust-lang#124409) but these tests still seemed worth keeping.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
C-bug Category: This is a bug. T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

PathBuf: replace transmuting by accessor functions RalfJung/rust
3 participants
@RalfJung @rustbot @Noratrieb