Skip to content

Soundness issue with Dictionary find/get #720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Tracked by #719
capickett opened this issue Feb 12, 2025 · 1 comment
Open
Tracked by #719

Soundness issue with Dictionary find/get #720

capickett opened this issue Feb 12, 2025 · 1 comment

Comments

@capickett
Copy link

Adding this test to dictionary.rs exhibits a runtime crash when running on an Apple Silicon mac with cargo test.

    #[test]
    fn this_is_ub() {
        let mut mut_dict: CFMutableDictionary<CFString, CFString> = CFMutableDictionary::new();
        let string_key = CFString::from_static_string("Bar");
        // make a runtime string that assuredly comes from the heap
        let string_val = CFString::new(format!("{:?}", SystemTime::now()).as_str());
        mut_dict.add(
            &string_key,
            &string_val,
        );

        let dict = mut_dict.to_immutable();
        let val = dict.get(string_key);

        mut_dict.remove_all();
        drop(string_val);

        print!("{}", *val);
    }

The issue here is that dict.get() returns an ItemRef<'a, CFString> which is tied to the lifetime of dict. However, dict is aliasing the same underlying storage as mut_dict, which means nothing prevents us removing the value and causing UB.
@capickett
Copy link
Author 

test dictionary::test::dict_find_and_contains_key ... error: test failed, to rerun pass `--lib`

Caused by:
  process didn't exit successfully: `/Users/pickett/github/core-foundation-rs/target/debug/deps/core_foundation-9eaa4f5982d05630` (signal: 5, SIGTRAP: trace/breakpoint trap)

Running RUSTFLAGS="-Zsanitizer=address" cargo +nightly address reveals:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==75173==ERROR: AddressSanitizer: BUS on unknown address (pc 0x00018108d820 bp 0x00016ffa9ff0 sp 0x00016ffa9b80 T24)
==75173==The signal is caused by a READ memory access.
==75173==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
test dictionary::test::dict_find_and_contains_key ... ok
    #0 0x00018108d820 in objc_msgSend+0x20 (libobjc.A.dylib:arm64+0x9820)
    #1 0x000100f33598 in _$LT$core_foundation..string..CFString$u20$as$u20$core..fmt..Display$GT$::fmt::hb247b8cf00e6dfd0 string.rs:104
    #2 0x000100fae410 in core::fmt::write::h7d12250cecdddbdd+0x188 (core_foundation-3972cd86ff0357a4:arm64+0x1000fe410)
    #3 0x000100f91954 in std::io::Write::write_fmt::h2cf72199a89f21e8+0x2c (core_foundation-3972cd86ff0357a4:arm64+0x1000e1954)
    #4 0x000100f911e0 in std::io::stdio::print_to_buffer_if_capture_used::h9e9d8371aa09d068+0xac (core_foundation-3972cd86ff0357a4:arm64+0x1000e11e0)
    #5 0x000100f91360 in std::io::stdio::_print::ha39479449f7d4a23+0x24 (core_foundation-3972cd86ff0357a4:arm64+0x1000e1360)
    #6 0x000100f39890 in core_foundation::dictionary::test::this_is_ub::h990d6fd8d8e4f589 dictionary.rs:499
    #7 0x000100f189b4 in core_foundation::dictionary::test::this_is_ub::_$u7b$$u7b$closure$u7d$$u7d$::h721036028bc7e504 dictionary.rs:483
    #8 0x000100efb358 in core::ops::function::FnOnce::call_once::hbe9222f6c467a2dd function.rs:250
    #9 0x000100f6bf44 in test::__rust_begin_short_backtrace::h7cabe5eb11a69265+0x14 (core_foundation-3972cd86ff0357a4:arm64+0x1000bbf44)
    #10 0x000100f6b99c in test::run_test::_$u7b$$u7b$closure$u7d$$u7d$::hf6648e126fa4cc83+0x1a8 (core_foundation-3972cd86ff0357a4:arm64+0x1000bb99c)
    #11 0x000100f3afa8 in std::sys::backtrace::__rust_begin_short_backtrace::hf87ac20de127c0cb+0x90 (core_foundation-3972cd86ff0357a4:arm64+0x10008afa8)
    #12 0x000100f3e078 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hfca5c1a5abcdb1f6+0xb4 (core_foundation-3972cd86ff0357a4:arm64+0x10008e078)
    #13 0x000100f99020 in std::sys::pal::unix::thread::Thread::new::thread_start::h32ebc818d3924195+0x30 (core_foundation-3972cd86ff0357a4:arm64+0x1000e9020)
    #14 0x00010173a408 in asan_thread_start(void*)+0x48 (librustc-nightly_rt.asan.dylib:arm64+0x4e408)
    #15 0x00018145c2e0 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x72e0)
    #16 0x0001814570f8 in thread_start+0x4 (libsystem_pthread.dylib:arm64+0x20f8)

==75173==Register values:
 x[0] = 0x000060700000aac0   x[1] = 0x00000001f5549ce1   x[2] = 0x0000000000000001   x[3] = 0x0000000000000001
 x[4] = 0x000060600000ae40   x[5] = 0x0000000000000001   x[6] = 0x000000016fda8000   x[7] = 0x0000000000000001
 x[8] = 0x00000018000003e8   x[9] = 0x00007ffffffffff8  x[10] = 0x6ae160700000aac0  x[11] = 0x000000702e0153b3
x[12] = 0x000000702e0153b1  x[13] = 0x000000702e0153a0  x[14] = 0x00000018000003ef  x[15] = 0x00000018000003e8
x[16] = 0x00000018000003e8  x[17] = 0x00000001f34b2ef0  x[18] = 0x0000000000000000  x[19] = 0x000000016ffa9da0
x[20] = 0x0000000000000001  x[21] = 0x000000016ffaa340  x[22] = 0x000000016ffaa350  x[23] = 0x0000000100fcab08
x[24] = 0x00000001814648b0  x[25] = 0x0000000101033000  x[26] = 0x000000003b9aca00  x[27] = 0x0000000000000000
x[28] = 0x0000000000000000     fp = 0x000000016ffa9ff0     lr = 0x0000000100f23414     sp = 0x000000016ffa9b80
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: BUS (libobjc.A.dylib:arm64+0x9820) in objc_msgSend+0x20
Thread T24 created by T0 here:
    #0 0x000101735238 in pthread_create+0x58 (librustc-nightly_rt.asan.dylib:arm64+0x49238)
    #1 0x000100f98e84 in std::sys::pal::unix::thread::Thread::new::h36757e4409f8ca82+0xc8 (core_foundation-3972cd86ff0357a4:arm64+0x1000e8e84)
    #2 0x000100f6a160 in test::run_test::h158fb525dab1f104+0x7cc (core_foundation-3972cd86ff0357a4:arm64+0x1000ba160)
    #3 0x000100f50988 in test::console::run_tests_console::h6fceff377246963b+0x14cc (core_foundation-3972cd86ff0357a4:arm64+0x1000a0988)
    #4 0x000100f67984 in test::test_main::h601fb47e4b56444a+0x12c (core_foundation-3972cd86ff0357a4:arm64+0x1000b7984)
    #5 0x000100f6854c in test::test_main_static::h677202b6c39dc919+0x54 (core_foundation-3972cd86ff0357a4:arm64+0x1000b854c)
    #6 0x000100ebc9c4 in core_foundation::main::h9809b68546e8b593 lib.rs
    #7 0x000100efab48 in core::ops::function::FnOnce::call_once::h0f8a9659531d2ca9 function.rs:250
    #8 0x000100ee0630 in std::sys::backtrace::__rust_begin_short_backtrace::h90876a24ed99919b backtrace.rs:154
    #9 0x000100f135bc in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h6c551cfc5e56aa43 rt.rs:195
    #10 0x000100f8de14 in std::rt::lang_start_internal::habe8da1df8d08a04+0x440 (core_foundation-3972cd86ff0357a4:arm64+0x1000dde14)
    #11 0x000100f133f4 in std::rt::lang_start::h63051a97db1a49b5 rt.rs:194
    #12 0x000100ebc9f0 in main+0x20 (core_foundation-3972cd86ff0357a4:arm64+0x10000c9f0)
    #13 0x0001810dc270  (<unknown module>)

==75173==ABORTING

@madsmtm madsmtm mentioned this issue Mar 21, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@capickett