[safety-dance] Remove some unsound usages of unsafe

[danielhenrymantilla]

(This is currently a WIP PR, for other members of safety-dance to help audit and improve the code)

This PR aims to tackle the issues raised in rust-secure-code/safety-dance#4

Although the author had done a great job with only few instances of unsafe usage, and all quite well documented / justified, it turns out that the usage of unininitalized bytes has currently no defined behavior in Rust. Instead, the MaybeUninit abstraction can be used, to safely handle uninitialized memory. Sadly, the Read trait of the std library does not yet offer an API to work with MaybeUninit.

Hence the usage of a helper crate, ::uninit, which provides precisely these zero-cost sound constructs.

• the only thing is that for ::uninit::ReadIntoUninit to be usable with the custom reader of the crate, this unsafe trait has been required to be (re)implemented, resulting in some other unsafe instances. However, these unsafe instances are more of a formality (they aim to guard against a malicious implementation of the trait, which is not the case here).

• so besides these 3 sound usages of unsafe for the ReadIntoUninit impl, the other unsafe blocks have been defused, except for two very well documented and justified cases of unchecked indexing, that I have therefore let be (I consider them sound).

---

Sadly, I have not been able to run the unit tests because some files are not in the repository. So I haven't been able to benchmark the impact of these changes 😕

[danielhenrymantilla]

.read_into is just .read_exact from io::Read

[danielhenrymantilla]

this may not have been a great idea if the plan is to support old versions of Rust

[danielhenrymantilla]

I wanted to avoid code repetition for a start, later on this could be improved to use .read_into_uninit_exact's implementation, but replacing the EOF error with a return of the initialized subslice.

[danielhenrymantilla]

(imho we shouldn't be targetting such an old version of Rust ...)

[danielhenrymantilla]

this was UB because it was creating a &mut reference to uninitialized bytes

[danielhenrymantilla]

::uninit is perfect for this kind of patterns

[danielhenrymantilla]

let's keep a witness of length - 4 not underflowing for later usage.

[Shnatsel]

Why is implementing ReadIntoUninit unsafe? std::io::Read provides a way to write to a Vec yet implementing it is totally safe. Reading into uninit is exactly as safe as reading into a Vec.

[danielhenrymantilla]

Take this code pattern (which I expect to be kind of reimplemented by crate users for similar but not quite equal needs): https://docs.rs/uninit/0.1.0/src/uninit/lib.rs.html#195-226

The last step, where it is assumed that buf[.. n] has been init thanks to a series of calls to .read_into_init whose returned lengths add up to n, is only sound if .read_into_init "isn't trolling" / malicious.

• Imagine an implementation of .read_into_init returning a Box::leak(Box::new([0_u8])). A slice with length > 0 has been returned, but the input buffer is still uninit, so assuming that the first length elements have been init would be unsound.

---

From the docs:

• buf[.. init_buf.len()] is sound to assume_init

unsafe code can assume this property to skip checks or manual initialization, and that's why incorrectly impl-ementing this marker trait can compromise memory safety.

---

So, this is one of these cases where the trait needs to be unsafe, although there is no danger if the implementation is not deliberately trying to abuse it; such as with TrustedLen

[BlackHoleFox]

I'm not sure where this PR left off, but I found this library today but the UB is concerning, especially considering I want to parse potentially untrusted FLAC files. Can I help this one out somehow?

I tried benchmarking this branch vs master, but some new runtime UB checks make it impossible to run the benchmarks. Every benchmark fails with this output:

cargo +nightly bench
...
---- bench_p0_mono_16bit stdout ----
thread 'main' panicked at 'attempted to leave type `claxon::FlacReader<std::io::Cursor<std::vec::Vec<u8>>>` uninitialized, which is invalid', /Users/fox/.rustup/toolchains/nightly-x86_64-apple-darwin/lib/rustlib/src/rust/library/core/src/mem/mod.rs:671:9
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

The danielhenrymantilla:fix_unsoundness fork also fails to compile because uninit v0.1 has been yanked and any future versions have a different public API, resulting in compilation failures.

[danielhenrymantilla]

Thanks for reminding me of this PR; I now have enough time to go back at tackling and polishing this 🙂 .

For instance, the uninit crate has been updated and improved since (with indeed some necessary API changes to prevent "an unsound troll misusage" (such misusage is not present in this PR) that that v0.1 allowed (hence the yanking).

[est31]

I'd really love something like this PR. I've reviewed the unsafe uses of this crate and they are, well, not great at all. I think that the uninit crate introduces way too much disruption. Yanking semver versions has an impact on the supply chain of unjustified proportions, especially if done because you think the old version's API design allows for misuse. There are dedicated tools that you can register CVEs with.

[est31]

As an update, rust is considering to deprecate mem::uninitialized completely: rust-lang/rust#100342 . I think that some PR should be merged so that this crate doesn't use that function any more, ideally sooner rather than later.