update README.md, add references.rs, and change segfault to rely on dereferencing a null reference

Creative0708 · Creative0708 · commit c78b2b4a5c68 · 2024-02-20T17:51:04.000-05:00
diff --git a/README.md b/README.md
@@ -1,7 +1,9 @@
 <p align="center">
   <h1 align="center">cve-rs</h1> 
   <h6 align="center">
-    <img src="https://img.shields.io/github/actions/workflow/status/serde-rs/serde/ci.yml?branch=master" align="top">
+    <a href="https://github.com/Speykious/cve-rs/actions/workflows/ci.yaml">
+      <img src="https://img.shields.io/github/actions/workflow/status/serde-rs/serde/ci.yml?branch=master" align="top">
+    </a>
   </h6>
   
   <div align="center">
@@ -19,13 +21,16 @@ We are very committed to making sure **cve-rs** is memory-safe. We know that uns
 
 > *\* There is, unfortunately, one exception: In our tests, we compare the results of our safe `transmute` function against the regular `std::mem::transmute` function. Perhaps somewhat shortsightedly, the standard library implementation is unsafe. Regardless, this is only in our tests - the core library has no unsafe code.*
 
-**cve-rs** has safe implementations of the following bugs:
+**cve-rs** implements the following bugs in safe Rust:
 
 - Use after free
 - Buffer overflow
 - Segmentation fault
 
-**cve-rs** also contains a safe reimplementation of `core::mem::transmute`.
+**cve-rs** also contains safe reimplementations of:
+
+- `std::mem::transmute`
+- `std::ptr::null()`/`null_mut()` but for references
 
 Here is an example of usage with the `segfault` subcommand:
 
diff --git a/src/lib.rs b/src/lib.rs
@@ -9,6 +9,7 @@ pub mod lifetime_expansion;
 
 // The bugs we created with the exploit
 pub mod buffer_overflow;
+pub mod references;
 pub mod segfault;
 pub mod transmute;
 pub mod use_after_free;
@@ -20,6 +21,8 @@ pub use segfault::segfault;
 pub use transmute::transmute;
 pub use use_after_free::use_after_free;
 
+pub use references::{null, null_mut};
+
 /// Construct a [`String`] from a pointer, capacity and length, in a completely safe manner.
 ///
 /// [`String`] is a `Vec<u8>` which is a `(RawVec, usize)` which is a `((Unique, usize), usize)`.
@@ -49,21 +52,6 @@ pub fn construct_fake_string(ptr: *mut u8, cap: usize, len: usize) -> String {
 	crate::transmute::<_, String>(actual_buf)
 }
 
-use std::hint::black_box;
-
-/// Returns a static reference to a dropped `Box<Box<T>>`.
-#[inline(never)]
-#[allow(clippy::borrowed_box, clippy::redundant_allocation)]
-fn get_dropped_box<T: Default>() -> &'static mut Box<Box<T>> {
-	let mut boxx = black_box(Box::<Box<T>>::default());
-	lifetime_expansion::expand_mut(&mut boxx)
-}
-
-/// Not allocate an object. The returned reference is always invalid.
-pub fn not_alloc<'a, T: Default + 'static>() -> &'a mut T {
-	get_dropped_box::<T>().as_mut().as_mut()
-}
-
 /// Good for job security.
 #[cfg(feature = "give-up")]
 pub fn give_up<T: 'static>() -> Box<T> {
diff --git a/src/references.rs b/src/references.rs
@@ -0,0 +1,17 @@
+//! Reimplementations of [`std::ptr::null()`] and [`std::ptr::null_mut()`], with safe code only.
+//! Relies on [`crate::transmute`] under the hood.
+
+/// Equivalent to [`std::ptr::null()`], but returns an null reference instead.
+pub fn null<'a, T: 'static>() -> &'a T {
+	crate::transmute(0usize)
+}
+/// Equivalent to [`std::ptr::null_mut()`], but returns an mutable null reference instead.
+pub fn null_mut<'a, T: 'static>() -> &'a mut T {
+	crate::transmute(0usize)
+}
+
+/// Not allocate an object. The returned reference is always invalid.
+/// This is equivalent to [`crate::null_mut()`].
+pub fn not_alloc<'a, T: 'static>() -> &'a mut T {
+	null_mut()
+}
diff --git a/src/segfault.rs b/src/segfault.rs
@@ -1,6 +1,6 @@
 //! A 100% memory-safe segmentation fault.
 //!
-//! We use this hole to create a `'static` reference to a dropped (yes, dropped) `Box<Box<u8>>`.
+//! We use the soundness hole to create a mutable null reference to a `u8`.
 //!
 //! The smart pointer exists on the stack, but was dropped, so the reference
 //! is borrowing arbitrary data on the stack. We can then fill the stack with zeros, which
@@ -13,15 +13,10 @@
 //! > memory instead of segfaulting on a null pointer. We think this is due to compiler
 //! > optimisations.
 
-use std::hint::black_box;
-
-use crate::not_alloc;
-
 /// Segfaults the program.
 pub fn segfault() -> ! {
-	let not_my_ref = not_alloc::<u8>();
-	black_box([0; 1024]);
-	println!("{not_my_ref:?}");
+	let null = crate::null_mut::<u8>();
+	*null = 42;
 
 	// WASM. u_u
 	unreachable!("Sorry, your platform is too strong.")
