Hello, we are reviewing the previous advisories. We find that the following function transmute_slice can trigger undefined behavior by creating misaligned pointer. We consider that we should not allow users to decide two generic types (v and U) by themselves.
|
unsafe { |
|
std::slice::from_raw_parts( |
|
v.as_ptr() as *const U, |
|
std::mem::size_of_val(v) / std::mem::size_of::<U>(), |
Check the safety doc.
data must be non-null, valid for reads for len * size_of::() many bytes, and it must be properly aligned.
Following is the PoC:
use fyrox_core::transmute_slice;
fn main() {
let data: Vec<u8> = vec![1, 2, 3, 4, 5];
let bytes: &[u32] = transmute_slice(&data);
println!("Byte length: {}", bytes.len());
}Miri's result:
error: Undefined Behavior: constructing invalid value: encountered an unaligned reference (required 4 byte alignment but found 1)
--> /root/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/fyrox-core-0.36.2/src/lib.rs:338:9
|
338 | / std::slice::from_raw_parts(
339 | | v.as_ptr() as *const U,
340 | | std::mem::size_of_val(v) / std::mem::size_of::<U>(),
341 | | )
| |_________^ Undefined Behavior occurred here
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
= note: BACKTRACE:
= note: inside `fyrox_core::transmute_slice::<u8, u32>` at /root/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/fyrox-core-0.36.2/src/lib.rs:338:9: 341:10We suggest to add assertion of alignment check.
Hello, we are reviewing the previous advisories. We find that the following function
transmute_slicecan trigger undefined behavior by creating misaligned pointer. We consider that we should not allow users to decide two generic types (vandU) by themselves.Fyrox/fyrox-core/src/lib.rs
Lines 366 to 369 in ebffbe6
Check the safety doc.
Following is the PoC:
Miri's result:
We suggest to add assertion of alignment check.