| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87plgrxkg4.fsf@kernel.org>
Date: Fri, 02 May 2025 14:31:55 +0200
From: Andreas Hindborg <a.hindborg@...nel.org>
To: "Alice Ryhl" <aliceryhl@...gle.com>
Cc: "Miguel Ojeda" <ojeda@...nel.org>, "Alex Gaynor"
<alex.gaynor@...il.com>, "Boqun Feng" <boqun.feng@...il.com>, "Gary Guo"
<gary@...yguo.net>, Björn Roy Baron
<bjorn3_gh@...tonmail.com>, "Benno
Lossin" <benno.lossin@...ton.me>, "Trevor Gross" <tmgross@...ch.edu>,
"Danilo Krummrich" <dakr@...nel.org>, "Oliver Mangold"
<oliver.mangold@...me>, <rust-for-linux@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] rust: elaborate safety requirements for
`AlwaysReferenceCounted`
"Alice Ryhl" <aliceryhl@...gle.com> writes:
> On Fri, May 02, 2025 at 01:53:57PM +0200, Andreas Hindborg wrote:
>> Clarify that implementers of `AlwaysReferenceCounted` must prevent the
>> implementer from being directly initialized by users.
>>
>> It is a violation of the safety requirements of `AlwaysReferenceCounted` if
>> its implementers can be initialized on the stack by users. Although this
>> follows from the safety requirements, it is not immediately obvious.
>>
>> The following example demonstrates the issue. Note that the safety
>> requirements for implementing `AlwaysRefCounted` and for calling
>> `ARef::from_raw` are satisfied.
>>
>> struct Empty {}
>>
>> unsafe impl AlwaysRefCounted for Empty {
>> fn inc_ref(&self) {}
>> unsafe fn dec_ref(_obj: NonNull<Self>) {}
>> }
>>
>> fn unsound() -> ARef<Empty> {
>> use core::ptr::NonNull;
>> use kernel::types::{ARef, RefCounted};
>>
>> let mut data = Empty {};
>> let ptr = NonNull::<Empty>::new(&mut data).unwrap();
>> let aref: ARef<Empty> = unsafe { ARef::from_raw(ptr) };
>>
>> aref
>> }
>
> I don't think it's entirely impossible to write an AlwaysRefCounted
> value that can be on the stack. The type just needs a lifetime
> parameter. For example, this API is not unsound:
>
> struct MyDataStorage {
> // ...
> }
>
> impl MyDataStorage {
> fn as_aref(&self) -> ARef<MyData<'_>> {
> unsafe { ARef::from_raw(ptr::from_ref(self).cast()) }
> }
> }
>
> #[repr(transparent)]
> struct MyData<'s> {
> storage: MyDataStorage,
> _lifetime: PhantomData<&'s MyDataStorage>,
> }
>
> unsafe impl AlwaysRefCounted for MyData<'_> {
> fn inc_ref(&self) {}
> unsafe fn dec_ref(_obj: NonNull<Self>) {}
> }
>
> impl Deref for MyData<'_> {
> type Target = MyDataStorage;
> fn deref(&self) -> &MyDataStorage {
> &self.storage
> }
> }
Right. I would rephrase then:
It is a violation of the safety requirements of `AlwaysReferenceCounted`
if its implementers can be initialized on the stack by users and an
`ARef` referencing the object can outlive the object. Although this follows from
the safety requirements, it is not immediately obvious.
and
+/// Note: This means that implementers must prevent users from directly
+/// initializing the implementer when the implementer is `'static`. Otherwise users could
+/// initialize the implementer on
+/// the stack, which would violate the safety requirements.
What do you think?
Best regards,
Andreas Hindborg
Powered by blists - more mailing lists