lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <137dd7ef-b8f6-43df-87e0-115f913d0465@proton.me>
Date: Tue, 25 Feb 2025 22:38:38 +0000
From: Benno Lossin <benno.lossin@...ton.me>
To: Ventura Jack <venturajack85@...il.com>
Cc: Gary Guo <gary@...yguo.net>, Linus Torvalds <torvalds@...ux-foundation.org>, Kent Overstreet <kent.overstreet@...ux.dev>, airlied@...il.com, boqun.feng@...il.com, david.laight.linux@...il.com, ej@...i.de, gregkh@...uxfoundation.org, hch@...radead.org, hpa@...or.com, ksummit@...ts.linux.dev, linux-kernel@...r.kernel.org, miguel.ojeda.sandonis@...il.com, rust-for-linux@...r.kernel.org
Subject: Re: C aggregate passing (Rust kernel policy)

On 25.02.25 00:04, Ventura Jack wrote:
> On Mon, Feb 24, 2025 at 3:03 PM Benno Lossin <benno.lossin@...ton.me> wrote:
>>
>> On 24.02.25 17:57, Ventura Jack wrote:
>>> One example I tested against MIRI:
>>>
>>>     use std::cell::UnsafeCell;
>>>
>>>     fn main() {
>>>
>>>         let val: UnsafeCell<i32> = UnsafeCell::new(42);
>>>         let x: & UnsafeCell<i32> = &val;
>>>         let y: & UnsafeCell<i32> = &val;
>>>
>>>         unsafe {
>>>
>>>             // UB.
>>>             //let pz: & i32 = & *val.get();
>>>
>>>             // UB.
>>>             //let pz: &mut i32 = &mut *val.get();
>>>
>>>             // Okay.
>>>             //let pz: *const i32 = &raw const *val.get();
>>>
>>>             // Okay.
>>>             let pz: *mut i32 = &raw mut *val.get();
>>>
>>>             let px: *mut i32 = x.get();
>>>             let py: *mut i32 = y.get();
>>>
>>>             *px = 0;
>>>             *py += 42;
>>>             *px += 24;
>>>
>>>             println!("x, y, z: {}, {}, {}", *px, *py, *pz);
>>>         }
>>>     }
>>>
>>> It makes sense that the Rust "raw pointers" `*const i32` and `*mut
>>> i32` are fine here, and that taking Rust "references" `& i32` and
>>> `&mut i32` causes UB, since Rust "references" have aliasing rules that
>>> must be followed.
>>
>> So it depends on what exactly you do, since if you just uncomment one of
>> the "UB" lines, the variable never gets used and thus no actual UB
>> happens. But if you were to do this:
> 
> I did actually test it against MIRI with only one line commented in at
> a time, and the UB lines did give UB according to MIRI, I did not
> explain that.

I do not get UB when I comment out any of the commented lines. Can you
share the output of MIRI?

---
Cheers,
Benno

> It feels a lot like juggling with very sharp knives, but
> I already knew that, because the Rust community generally does a great
> job of warning people against unsafe. MIRI is very good, but it cannot
> catch everything, so it cannot be relied upon in general. And MIRI
> shares some of the advantages and disadvantages of sanitizers for C.
> 
> Best, VJ.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ