safe4u opened issue #8905:
Hi, we have found an unsound problem caused by the unsafe call
std::slice::from_raw_parts
in https://github.com/bytecodealliance/wasmtime/blob/842fa767acdc26f096ac108605353b8b71e23169/crates/jit-debug/src/perf_jitdump.rs#L252
from_raw_parts
converts the pointeraddr
and thelen
into a slice without validation and that memory block would be dumped.
Thus, the 'safe' functiondump_code_load_record
is actually 'unsafe' since it requires the caller to guarantee that theaddr
is valid andlen
must not overflow.POC
Here follows a simple POC written in safe Rust code.
use wasmtime_jit_debug::perf_jitdump::JitDumpFile; fn main() { let mut jit_file = JitDumpFile::new("jitdump", 1).unwrap(); let str1 = "hi"; let _r = jit_file.dump_code_load_record("name", str1.as_ptr() as *const u8, 1024, 2, 3, 4).unwrap(); }
Suggestion
There are two possible action choices could be taken:
1. Mark the functiondump_code_load_record
as unsafe and write Safety requirement.
2. (recommended) Merge parameteraddr
andlen
into a single parametercode_buffer: &[u8]
, so the compiler would guarantee the buffer is valid.
fitzgen closed issue #8905:
Hi, we have found an unsound problem caused by the unsafe call
std::slice::from_raw_parts
in https://github.com/bytecodealliance/wasmtime/blob/842fa767acdc26f096ac108605353b8b71e23169/crates/jit-debug/src/perf_jitdump.rs#L252
from_raw_parts
converts the pointeraddr
and thelen
into a slice without validation and that memory block would be dumped.
Thus, the 'safe' functiondump_code_load_record
is actually 'unsafe' since it requires the caller to guarantee that theaddr
is valid andlen
must not overflow.POC
Here follows a simple POC written in safe Rust code.
use wasmtime_jit_debug::perf_jitdump::JitDumpFile; fn main() { let mut jit_file = JitDumpFile::new("jitdump", 1).unwrap(); let str1 = "hi"; let _r = jit_file.dump_code_load_record("name", str1.as_ptr() as *const u8, 1024, 2, 3, 4).unwrap(); }
Suggestion
There are two possible action choices could be taken:
1. Mark the functiondump_code_load_record
as unsafe and write Safety requirement.
2. (recommended) Merge parameteraddr
andlen
into a single parametercode_buffer: &[u8]
, so the compiler would guarantee the buffer is valid.
Last updated: Dec 23 2024 at 12:05 UTC