Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

flatbuffers is unsound #281

Closed
Nemo157 opened this issue Apr 29, 2020 · 4 comments
Closed

flatbuffers is unsound #281

Nemo157 opened this issue Apr 29, 2020 · 4 comments

Comments

@Nemo157
Copy link
Contributor

Nemo157 commented Apr 29, 2020

Unfortunately I don't care about this enough to fill out a proper advisory, but since I looked into it enough to find the UB, here's a few miri error samples if someone wants to finish it off:

fn main() {
    dbg!(flatbuffers::read_scalar::<u16>(&[0u8, 5u8]));
}

error: Undefined Behavior: accessing memory with alignment 1, but alignment 2 is required

(I manually inspected the source code to verify the library doesn't check the alignment itself)

#[repr(u8)]
#[derive(Eq, PartialEq, Clone, Copy, Debug)]
pub enum Color {
    Red
}

impl flatbuffers::EndianScalar for Color {
  fn to_little_endian(self) -> Self {
      self
  }
  fn from_little_endian(self) -> Self {
      self
  }
}

fn main() {
    dbg!(flatbuffers::read_scalar::<Color>(&[5u8]));
}

error: Undefined Behavior: type validation failed: encountered 5, but expected a valid enum discriminant

#[derive(Eq, PartialEq, Clone, Copy, Debug)]
pub enum Void {
}

impl flatbuffers::EndianScalar for Void {
  fn to_little_endian(self) -> Self {
      self
  }
  fn from_little_endian(self) -> Self {
      self
  }
}

fn main() {
    dbg!(flatbuffers::read_scalar::<Void>(&[]));
}

error: Undefined Behavior: type validation failed: encountered a value of uninhabited type Void
@Nemo157
Copy link
Contributor Author

Nemo157 commented Apr 29, 2020

I should have looked harder, there is an existing advisory for it #259

@Nemo157 Nemo157 closed this as completed Apr 29, 2020
@Shnatsel
Copy link
Member

Those advisories are actually about a different bug, so it might be still worthwhile to an advisory for this one. Reopening.

Have you reported an issue on the flatbuffers repo?

@Shnatsel Shnatsel reopened this Apr 29, 2020
@Shnatsel
Copy link
Member

Oh wait, nevermind, seems to be the same bug: google/flatbuffers#5825

@Nemo157
Copy link
Contributor Author

Nemo157 commented Apr 30, 2020

Yeah, read_scalar being an ever so slightly limited form of transmute means it can produce a bunch of different UB depending on what you pass it.

While looking into this I noticed that the code generated by flatc is also unsound, it produces UB on big-endian machines by converting enums into their LE representation while still typed as the enum. I'm not sure how to create advisories for code generated by non-Rust tooling though?

@eduardosm eduardosm mentioned this issue May 12, 2020
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Nemo157 @Shnatsel