Skip to content

patina_internal_collections: Fix UB memory read in Node fields #1152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
garybeihl wants to merge 2 commits into
base: main
Choose a base branch
from
Open

patina_internal_collections: Fix UB memory read in Node fields #1152

garybeihl wants to merge 2 commits into from
+190 −81

Conversation

@garybeihl
Copy link
Contributor

@garybeihl garybeihl commented Dec 3, 2025
edited by makubacki
Loading

Description

Fixes an undefined behavior issue where Cell::set() reads uninitialized memory during linked list creation in Storage::resize().

Root Cause

  • Cell::set() internally uses mem::replace(), which reads the old value before writing the new one.
  • When Storage::resize() allocates new nodes and calls build_linked_list(), the Cell fields contain uninitialized memory.
  • Reading uninitialized memory is undefined behavior, even if immediately overwritten. Unwanted compiler "optimizations" could follow.

Impact

Fix

  • Initialize all Cell fields using ptr::write() before build_linked_list()
  • Use addr_of_mut!() to read field pointers without creating references to uninitialized data

Introduced by

Related to #560

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

How This Was Tested

  • Tested with: cargo +nightly-2025-09-19 miri test -p patina_dxe_core.
  • 7 tests now pass (previously 0/469 due to this UB issue).

Integration Instructions

N/A

@github-actions github-actions bot added the impact:security Has a security impact label Dec 3, 2025
@garybeihl garybeihl added the type:bug Something isn't working label Dec 3, 2025
@codecov
Copy link

codecov bot commented Dec 3, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@garybeihl garybeihl force-pushed the fix-node-uninit branch 2 times, most recently from 492ef76 to 7a57e63 Compare December 3, 2025 16:57
os-d
os-d reviewed Dec 3, 2025
View reviewed changes
joschock
joschock reviewed Dec 3, 2025
View reviewed changes
Javagedes
Javagedes reviewed Dec 3, 2025
View reviewed changes
Javagedes
Javagedes reviewed Dec 3, 2025
View reviewed changes
@garybeihl garybeihl force-pushed the fix-node-uninit branch 4 times, most recently from f0178c1 to b1385f8 Compare December 9, 2025 00:26
@garybeihl garybeihl force-pushed the fix-node-uninit branch 2 times, most recently from ae5dcec to 7fcea9b Compare December 16, 2025 00:41
@Javagedes
Copy link
Contributor

Javagedes commented Dec 19, 2025

Hi @garybeihl , I noticed you've been keeping this PR up to date, but not working on it (which is completely fine).

I just wanted to make sure you were not waiting on additional information from any of us that have commented on this PR (i.e. make sure we are not blocking you in any way)!

@garybeihl
Copy link
Contributor Author

garybeihl commented Dec 19, 2025

No - not blocked - I uploaded a version of the changes that uses MaybeUninit and D: Default - just waiting for further comments or change requests. If you could have a look when you get a chance, that would be great - thanks!

@garybeihl garybeihl force-pushed the fix-node-uninit branch 3 times, most recently from a3c3321 to 490f0cf Compare December 23, 2025 21:23
makubacki
makubacki reviewed Jan 12, 2026
View reviewed changes
@garybeihl garybeihl force-pushed the fix-node-uninit branch 4 times, most recently from f6e8da6 to 84636f4 Compare January 15, 2026 15:04
@garybeihl
patina_internal_collections: Use MaybeUninit to avoid Default require…
e2a9857 
…ment

Replace Default trait requirement with MaybeUninit wrapper for Node data field.
Only initialize data when nodes move from available to in-use list.
Fixes UB where Cell::set() was reading uninitialized memory.
@garybeihl
patina_internal_collections: Add safety comments to fix clippy warnings
f669b07 
Add safety documentation to all unsafe blocks in production code.
Add allow(clippy::undocumented_unsafe_blocks) to test modules
to avoid redundant safety comments for test assertions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@makubacki makubacki makubacki left review comments

@os-d os-d Awaiting requested review from os-d

@joschock joschock Awaiting requested review from joschock

@Javagedes Javagedes Awaiting requested review from Javagedes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

impact:security Has a security impact type:bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@garybeihl @Javagedes @makubacki @os-d @joschock