| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJ-ks9n-wGg70+dRj3x4ETYqjTfnnKoPqv9RncHzX_UKAPFHzw@mail.gmail.com>
Date: Wed, 19 Mar 2025 09:40:51 -0400
From: Tamir Duberstein <tamird@...il.com>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: Danilo Krummrich <dakr@...nel.org>, Andrew Ballance <andrewjballance@...il.com>,
Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>,
Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...nel.org>,
Trevor Gross <tmgross@...ch.edu>, rust-for-linux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 3/4] rust: alloc: refactor `Vec::truncate` using `dec_len`
On Wed, Mar 19, 2025 at 5:53 AM Alice Ryhl <aliceryhl@...gle.com> wrote:
>
> On Tue, Mar 18, 2025 at 04:13:55PM -0400, Tamir Duberstein wrote:
> > Use `checked_sub` to satisfy the safety requirements of `dec_len` and
> > replace nearly the whole body of `truncate` with a call to `dec_len`.
> >
> > Signed-off-by: Tamir Duberstein <tamird@...il.com>
> > ---
> > rust/kernel/alloc/kvec.rs | 29 +++++++++++------------------
> > 1 file changed, 11 insertions(+), 18 deletions(-)
> >
> > diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs
> > index 97cc5ab11e2a..6f4dc89ef7f8 100644
> > --- a/rust/kernel/alloc/kvec.rs
> > +++ b/rust/kernel/alloc/kvec.rs
> > @@ -489,25 +489,18 @@ pub fn reserve(&mut self, additional: usize, flags: Flags) -> Result<(), AllocEr
> > /// # Ok::<(), Error>(())
> > /// ```
> > pub fn truncate(&mut self, len: usize) {
> > - if len >= self.len() {
> > - return;
> > + match self.len().checked_sub(len) {
> > + None => {}
> > + Some(count) => {
>
> This could be simplified as:
> if let Some(count) = self.len().checked_sub(len) {
> // logic here
> }
>
> or
> let Some(count) = self.len().checked_sub(len) else {
> return;
> }
> // logic here
👍
>
> > + // SAFETY: `count` is `self.len() - len` so it is guaranteed to be less than or
> > + // equal to `self.len()`.
> > + let tail = unsafe { self.dec_len(count) };
> > +
> > + // SAFETY: the contract of `dec_len` guarantees that the elements in `tail` are
> > + // valid elements whose ownership has been transferred to the caller.
> > + unsafe { ptr::drop_in_place(ptr) };
>
> We have a mutable reference to these elements until after the
> `drop_in_place` call, but the elements are invalidated by that call.
> This means that we have a mutable reference to invalid values, which
> violates the invariants for mutable references.
>
> Consider converting to a raw pointer when creating `tail` instead to
> avoid that:
>
> let tail: *mut [T] = unsafe { self.dec_len(count) };
> unsafe { ptr::drop_in_place(ptr) };
👍
Powered by blists - more mailing lists