lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANiq72mhgL-eidEBhxkzMKFztAjRjAFEdeO5Oe6Uv1mVMtEdoA@mail.gmail.com>
Date: Sat, 9 Nov 2024 22:33:54 +0100
From: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
To: Christian dos Santos de Lima <christiansantoslima21@...il.com>
Cc: rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org, 
	Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, 
	Boqun Feng <boqun.feng@...il.com>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, 
	Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...nel.org>, 
	Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>, ~lkcamp/patches@...ts.sr.ht
Subject: Re: [PATCH v3] rust: transmute: Add implementation for FromBytes trait

On Sat, Nov 9, 2024 at 6:54 AM Christian dos Santos de Lima
<christiansantoslima21@...il.com> wrote:
>
> Add implementation and documentation for FromBytes trait.

Thanks for the patch! Some comments below...

The title does not need to be duplicated in the message.

More importantly, the commit message should explain what you are
changing and why.

In particular, "Add implementation and documentation for FromBytes
trait." seems wrong, because we already have the implementation and
the documentation for the `FromBytes` trait.

> Add new feature block in order to allow using ToBytes
> and bound to from_bytes_mut function. I'm adding this feature
> because is possible create a value with disallowed bit pattern
> and as_byte_mut could create such value by mutating the array and
> accessing the original value. So adding ToBytes this can be avoided.

I understand that you want to add those two features, but you need to
justify more precisely why they are needed, e.g. is there a way to do
it without them? If yes, why cannot use that alternative way? e.g. is
it too complicated? Or is it that it cannot be achieved without the
feature at all? Please try to be explicit and mention both features by
name.

Also, you should mention their status if you know about it, since we
should avoid adding new features, given that we are trying to get
Linux into stable Rust:

    https://rust-for-linux.com/unstable-features#usage-in-the-kernel

>  //! Traits for transmuting types.
>
> +use core::simd::ToBytes;
>  /// Types for which any bit pattern is valid.

Please try to be consistent with the rest of the code in its style,
e.g. newline here, whitespace elsewhere, safety comments, use
Markdown, etc. (but we can discuss that in a later version).

> +pub unsafe trait FromBytes {
> +    /// Get an imutable slice of bytes and converts to a reference to Self

Typo (`scripts/checkpatch.pl` has spell checking capabilities).

More importantly, this `unsafe fn` does not have a `# Safety` section.

> +    /// # Safety
> +    ///
> +    /// Bound ToBytes in order to avoid use with disallowed bit patterns

This `# Safety` section does not explain the safety preconditions; and
the bound is anyway in the signature already, i.e. this section is not
about explaining how you implemented something, but for users to learn
how to use it properly.

> +// Get a reference of slice of bytes and converts into a reference of integer or a slice with a defined size

This seems misplaced?

> +/// Get a reference of slice of bytes and converts into a reference of an array of integers
> +///
> +/// Types for which any bit pattern is valid.
> +///
> +/// Not all types are valid for all values. For example, a `bool` must be either zero or one, so
> +/// reading arbitrary bytes into something that contains a `bool` is not okay.
> +///
> +/// It's okay for the type to have padding, as initializing those bytes has no effect.
> +///

This also seems misplaced, and apparently is a mixture of the
`FromBytes` docs (?).

> +unsafe impl<T: FromBytes> FromBytes for [T] {
> +    unsafe fn from_bytes(slice_of_bytes: &[u8]) -> &Self {
> +        // Safety: Guarantee that all values are initialized

Please see how other safety comments are written: we need to justify
the preconditions of the unsafe operations within the block. So, for
instance, indeed, the values need to be initialized to call
`from_raw_parts_mut`, but why they are so?

Some operations here do not need to be in the block -- we try to minimize them.

>  pub unsafe trait AsBytes {}
> -
>  macro_rules! impl_asbytes {
>      ($($({$($generics:tt)*})? $t:ty, )*) => {
>          // SAFETY: Safety comments written in the macro invocation.
> @@ -63,7 +141,6 @@ macro_rules! impl_asbytes {
>      bool,
>      char,
>      str,
> -
>      // SAFETY: If individual values in an array have no uninitialized portions, then the array

Please avoid spurious/unrelated changes -- these should not be in the patch.

Thanks!

Cheers,
Miguel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ