Stream: git-wasmtime

Topic: wasmtime / issue #8905 Unsound problem in `JitDumpFile::d...

view this post on Zulip Wasmtime GitHub notifications bot (Jul 06 2024 at 06:58):

safe4u opened issue #8905:

Hi, we have found an unsound problem caused by the unsafe call std::slice::from_raw_parts in https://github.com/bytecodealliance/wasmtime/blob/842fa767acdc26f096ac108605353b8b71e23169/crates/jit-debug/src/perf_jitdump.rs#L252
from_raw_parts converts the pointer addr and the len into a slice without validation and that memory block would be dumped.
Thus, the 'safe' function dump_code_load_record is actually 'unsafe' since it requires the caller to guarantee that the addr is valid and len must not overflow.

POC

Here follows a simple POC written in safe Rust code.

use wasmtime_jit_debug::perf_jitdump::JitDumpFile;
fn main() {
    let mut jit_file = JitDumpFile::new("jitdump", 1).unwrap();
    let str1 = "hi";
    let _r = jit_file.dump_code_load_record("name", str1.as_ptr() as *const u8, 1024, 2, 3, 4).unwrap();
}

Suggestion

There are two possible action choices could be taken:
1. Mark the function dump_code_load_record as unsafe and write Safety requirement.
2. (recommended) Merge parameter addr and len into a single parameter code_buffer: &[u8], so the compiler would guarantee the buffer is valid.

view this post on Zulip Wasmtime GitHub notifications bot (Jul 08 2024 at 19:08):

fitzgen closed issue #8905:

Hi, we have found an unsound problem caused by the unsafe call std::slice::from_raw_parts in https://github.com/bytecodealliance/wasmtime/blob/842fa767acdc26f096ac108605353b8b71e23169/crates/jit-debug/src/perf_jitdump.rs#L252
from_raw_parts converts the pointer addr and the len into a slice without validation and that memory block would be dumped.
Thus, the 'safe' function dump_code_load_record is actually 'unsafe' since it requires the caller to guarantee that the addr is valid and len must not overflow.

POC

Here follows a simple POC written in safe Rust code.

use wasmtime_jit_debug::perf_jitdump::JitDumpFile;
fn main() {
    let mut jit_file = JitDumpFile::new("jitdump", 1).unwrap();
    let str1 = "hi";
    let _r = jit_file.dump_code_load_record("name", str1.as_ptr() as *const u8, 1024, 2, 3, 4).unwrap();
}

Suggestion

There are two possible action choices could be taken:
1. Mark the function dump_code_load_record as unsafe and write Safety requirement.
2. (recommended) Merge parameter addr and len into a single parameter code_buffer: &[u8], so the compiler would guarantee the buffer is valid.

Last updated: Nov 22 2024 at 16:03 UTC