-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Combination of Deserialize and from_str_unchecked() is unsound #43
Comments
Yes, thanks for spotting this! By validating at construction, you mean to do a custom implementation of Deserialize trait which throws an error in case it's not valid utf-8? That seems like a sensible solution to me. |
Yes, that should work. I wonder if it's even worth it, though. It appears that at least none of the published reverse dependencies are using Edit: Not a soundness issue, but I'd also expect successfully deserialized data not to lead to panics. There's one assertion outside and some assertions in |
Thanks for the quick turnaround on v9.0.0. I'll file a separate advisory for this issue (rustsec/advisory-db#671), that can be updated with the solution when available. |
I suggest using This means the original input may be altered, and hence may not be entirely correct, but at least it will not lead to memory safety issues, and does not require changing the API. |
Unfortunately, |
It's probably best to expose it as a |
For a non-breaking change (i.e. keeping Lines 4149 to 4150 in 6993bb5
The less critical issue with the panics still remains. If we're considering breaking changes, just removing Then, if someone actually needs it and requests it, consider reimplementing it for those structs as needed, with careful validation. |
This is the pull request that originally added the feature with some explanation on why it was requested: #18 I agree with @niklasf, a higher level representation would've been more sensible. I can think of a use-case for myself where I would want to persist all CPUID output in order to save the current processor state e.g. before running an experiment. But I do think a better way than having Serialize/Deserialize on invididual data-structures might be to just save cpuid raw registers using a Vec/Map of CpuIdResult bytes and then persisting that... I'll try to look into how hard it is to just return an error on Serialize/Deserialize if data isn't valid utf8. Otherwise removing Serialize/Deserialize is something I would consider too. |
Ah, I should have tried For the validation, a decent approach seems to be to use derive on a private helper struct, rather than implementing everything manually: serde-rs/serde#642 (comment). |
Alright I worked on cpuid today and pushed a more pragmatic fix for this: use |
Would it be possible to get this backported to older versions of raw-cpuid? I'm stuck on version 8.1.2 since this is a transitive dependency in my case and don't have the option to make a major upgrade to 9.x. |
Hi @Voxelot yes, I can backport these changes. |
While writing the safety comments for #40, I noticed that
is not actually true. Using
Deserialize
, types likeVendorInfo
can be constructed with arbitrary content in safe code, but callingstr::from_utf8_unchecked()
with invalid UTF-8 is undefined behavior.Possible fixes are removing
Deserialize
, or validating at construction or right when constructing the str.The text was updated successfully, but these errors were encountered: