lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZRL3mlWXqseER8xK@Boquns-Mac-mini.home>
Date:   Tue, 26 Sep 2023 08:24:10 -0700
From:   Boqun Feng <boqun.feng@...il.com>
To:     Gary Guo <gary@...yguo.net>
Cc:     Benno Lossin <benno.lossin@...ton.me>, Alice Ryhl <alice@...l.io>,
        Alice Ryhl <aliceryhl@...gle.com>,
        Wedson Almeida Filho <wedsonaf@...il.com>,
        rust-for-linux@...r.kernel.org, Miguel Ojeda <ojeda@...nel.org>,
        Alex Gaynor <alex.gaynor@...il.com>,
        Björn Roy Baron <bjorn3_gh@...tonmail.com>,
        Andreas Hindborg <a.hindborg@...sung.com>,
        linux-kernel@...r.kernel.org,
        Wedson Almeida Filho <walmeida@...rosoft.com>
Subject: Re: [PATCH v2 2/2] rust: arc: remove `ArcBorrow` in favour of
 `WithRef`

On Tue, Sep 26, 2023 at 04:26:59PM +0800, Gary Guo wrote:
> On Mon, 25 Sep 2023 22:26:56 +0000
> Benno Lossin <benno.lossin@...ton.me> wrote:
> 
[...]
> > 
> > The pointer was originally derived by a call to `into_raw`:
> > ```
> >      pub fn into_raw(self) -> *const T {
> >          let ptr = self.ptr.as_ptr();
> >          core::mem::forget(self);
> >          // SAFETY: The pointer is valid.
> >          unsafe { core::ptr::addr_of!((*ptr).data) }
> >      }
> > ```
> > So in this function the origin (also the origin of the provenance)
> > of the pointer is `ptr` which is of type `NonNull<WithRef<T>>`.
> > Raw pointers do not lose this provenance information when you cast
> > it and when using `addr_of`/`addr_of_mut`. So provenance is something
> > that is not really represented in the type system for raw pointers.
> > 
> > When doing a round trip through a reference though, the provenance is
> > newly assigned and thus would only be valid for a `T`:
> > ```
> > let raw = arc.into_raw();
> > let reference = unsafe { &*raw };
> > let raw: *const T = reference;
> > let arc = unsafe { Arc::from_raw(raw) };
> > ```
> > Miri would complain about the above code.
> > 
> 
> One thing we can do is to opt from strict provenance, so:
> 

A few questions about strict provenance:

> ```
> let raw = arc.into_raw();
> let _ = raw as usize; // expose the provenance of raw

Should this be a expose_addr()?

> let reference = unsafe { &*raw };
> let raw = reference as *const T as usize as *const T;

and this is a from_exposed_addr{_mut}(), right?

> let arc = unsafe { Arc::from_raw(raw) };
> ```
> 

One step back, If we were to use strict provenance API (i.e.
expose_addr()/from_exposed_addr()), we could use it to "fix" the
original problem? By:

*	expose_addr() in as_with_ref()
*	from_exposed_addr() in `impl From<&WithRef<T>> for Arc`

right?

More steps back, is the original issue only a real issue under strict
provenance rules? Don't make me wrong, I like the ideas behind strict
provenance, I just want to check, if we don't enable strict provenance
(as a matter of fact, we don't do it today), will the original issue
found by Alice be a UB? Or is there a way to disable Miri's check on
strict provenance? IIUC, the cause of the original issue is that "you
cannot reborrow a pointer derived from a `&` to get a `&mut`, even when
there is no other alias to the same object". Maybe I'm still missing
something, but without strict provenance, is this a problem? Or is there
a provenance model of Rust without strict provenance?

Regards,
Boqun

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ