lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAH5fLghN8L4cJsRuH-eqU4E5GaTJRUhw0cAStjHAj1RNJA-vhg@mail.gmail.com>
Date: Tue, 30 Jul 2024 19:50:01 +0200
From: Alice Ryhl <aliceryhl@...gle.com>
To: Benno Lossin <benno.lossin@...ton.me>
Cc: Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, 
	Wedson Almeida Filho <wedsonaf@...il.com>, Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>, 
	Björn Roy Baron <bjorn3_gh@...tonmail.com>, 
	Andreas Hindborg <a.hindborg@...sung.com>, rust-for-linux@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rust: implement ForeignOwnable for Pin<Box<T>>

On Tue, Jul 30, 2024 at 7:14 PM Benno Lossin <benno.lossin@...ton.me> wrote:
>
> On 30.07.24 15:06, Alice Ryhl wrote:
> > @@ -89,6 +90,32 @@ unsafe fn from_foreign(ptr: *const core::ffi::c_void) -> Self {
> >      }
> >  }
> >
> > +impl<T: 'static> ForeignOwnable for Pin<Box<T>> {
> > +    type Borrowed<'a> = Pin<&'a T>;
> > +
> > +    fn into_foreign(self) -> *const core::ffi::c_void {
> > +        // SAFETY: We are still treating the box as pinned.
>
> I don't think that we have the guarantee that the pointee at the pointer
> that is returned by `into_foreign` is not moved.

That doesn't seem like the kind of thing we need a guarantee for.
Rather, unless we give anyone a guarantee that dereferencing it is
okay, it seems reasonable to assume that it won't be dereferenced.
Right now, it's just an opaque pointer, so C really shouldn't be
touching it. We already implement the trait for Arc which is also
pinned and also doesn't even point at a value of type T.

> AFAIU `ForeignOwnable` is used to store these pointers in C structures
> and never to actually access the value behind the returned pointer. So
> we could add the requirement to `into_foreign` (thus making it `unsafe`)
> that the pointer should not be dereferenced/used aside from `borrow` and
> `from_foreign`. Otherwise I don't see how the call below can be OK.
> What do you think?

Dereferencing the void pointer is unsafe in itself, so I don't see why
`into_foreign` has to be unsafe too.

Alice

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ