Skip to content

Use after free in core::iter::repeat_n #130140

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
jwong101 opened this issue Sep 9, 2024 · 3 comments · Fixed by #130145
Closed

Use after free in core::iter::repeat_n #130140

jwong101 opened this issue Sep 9, 2024 · 3 comments · Fixed by #130145
Assignees
@fee1-dead
Labels
A-iterators Area: Iterators C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness P-critical Critical priority T-libs Relevant to the library team, which will review and decide on the PR/issue.

Comments

@jwong101
Copy link
Contributor

jwong101 commented Sep 9, 2024
edited
Loading

core::iter::repeat_n currently unconditionally derives Clone. However,
it will also drop its inner object if n is 0, which can cause a UAF if it's cloned afterwards.

use std::rc::Rc;
fn main() {
    let mut c = [0; 100];
    let x = std::iter::repeat_n(Rc::new(0), 0);
    let y = Box::new(&mut c);
    for _ in 0..100 {
        _ = x.clone();
    }
    y.fill(0);
}

Running the above program segfaults:

Exited with signal 11 (SIGSEGV): segmentation violation
Standard Error
   Compiling playground v0.0.1 (/playground)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.42s
     Running `target/debug/playground`

Edit: Made the segfault quicker/more reliable.
@jwong101 jwong101 added the C-bug Category: This is a bug. label Sep 9, 2024
@rustbot rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Sep 9, 2024
@lukas-code lukas-code added I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness A-iterators Area: Iterators T-libs Relevant to the library team, which will review and decide on the PR/issue. and removed needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. labels Sep 9, 2024
@rustbot rustbot added the I-prioritize Issue: Indicates that prioritization has been requested for this issue. label Sep 9, 2024
@jwong101 jwong101 mentioned this issue Sep 9, 2024
Closed
@lcnr
Copy link
Contributor

lcnr commented Sep 9, 2024

same issue with its Debug implementation

fn main() {
    let x = std::iter::repeat_n(String::from("use after free"), 0);
    println!("{x:?}");
}

@m-ou-se
Copy link
Member

m-ou-se commented Sep 9, 2024

cc @scottmcm, I think you implemented this. ^^

@fee1-dead fee1-dead self-assigned this Sep 9, 2024
@fee1-dead fee1-dead mentioned this issue Sep 9, 2024
Merged
@lcnr lcnr mentioned this issue Sep 9, 2024
Open
@apiraino
Copy link
Contributor

apiraino commented Sep 9, 2024

WG-prioritization assigning priority (Zulip discussion).

@rustbot label -I-prioritize +P-critical

@rustbot rustbot added P-critical Critical priority and removed I-prioritize Issue: Indicates that prioritization has been requested for this issue. labels Sep 9, 2024
@GnomedDev GnomedDev mentioned this issue Sep 10, 2024
Closed
5 tasks
@theemathas theemathas mentioned this issue Sep 12, 2024
Merged
@bors bors closed this as completed in 2e367d9 Sep 17, 2024
GuillaumeGomez added a commit to GuillaumeGomez/rust that referenced this issue Sep 26, 2024
@GuillaumeGomez
Rollup merge of rust-lang#130279 - theemathas:manually-drop-docs, r=t…
8a827c7 
…homcc,traviscross

Document subtleties of `ManuallyDrop`

After seeing rust-lang#130140 and rust-lang#130141, I figured that `ManuallyDrop` needs documentation explaining its subtleties, hence this PR.

See also rust-lang/unsafe-code-guidelines#245
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Sep 27, 2024
@rust-timer
Unrolled build for rust-lang#130279
4a29775 
Rollup merge of rust-lang#130279 - theemathas:manually-drop-docs, r=thomcc,traviscross

Document subtleties of `ManuallyDrop`

After seeing rust-lang#130140 and rust-lang#130141, I figured that `ManuallyDrop` needs documentation explaining its subtleties, hence this PR.

See also rust-lang/unsafe-code-guidelines#245
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@fee1-dead fee1-dead

Labels
A-iterators Area: Iterators C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness P-critical Critical priority T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

RepeatN: use MaybeUninit fee1-dead-contrib/rust
7 participants
@m-ou-se @apiraino @jwong101 @lukas-code @lcnr @fee1-dead @rustbot