Undefined behaviors in Drop implementation for DartCObjectΒ #72
Description
Unsoundness in Drop for DartCObject
We found that a memory safety bugs could be triggered with the drop of DartCObject if a DartArray is constructed with a null pointer and a non-zero length.
Lines 172 to 180 in 9134004
If the public field of
values is assigned to NULL, it will be passed to the unsafe function slice::from_raw_parts_mut,allo-isolate/src/dart_array.rs
Lines 54 to 60 in 9134004
which violates its safety invariants: The pointer passed to the unsafe function is required to be non-null!
PoC
fn main() {
let corrupted_obj = DartCObject {
ty: DartCObjectType::DartArray,
value: DartCObjectValue {
as_array: DartNativeArray {
length: 100,
values: std::ptr::null_mut(),
},
},
};
drop(corrupted_obj);
}run with Miri,
error: Undefined Behavior: pointer not dereferenceable: pointer must be dereferenceable for 800 bytes, but got null pointer
--> /home/usr/.cargo/registry/src/index.crates.io-6f17d22bba15001f/allo-isolate-0.1.27/src/dart_array.rs:57:17
|
57 | slice::from_raw_parts_mut(arr.values, arr.length as usize);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined BehaviorHow could this happen in Real-World
Lines 168 to 172 in 9134004
As shown at line 171, it is intuitive for user to learn the code convention from the crate and pass
std::ptr::null_mut() to the Dart types.Besides, we also find that the path for
DartTypedData has implemented guard against null pointer perfectly.Lines 181 to 188 in 9134004
We consider that the possibility of null pointer might be ignored on the path of
DartArray. As it is encapsulated as safe function, we recommend to add the same check to the path of drop implementation.