New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsound implementation of transmute_vec_as_bytes
in fyrox-core
#630
Comments
We also considered that |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, we are researchers from SunLab. We consider the safe function
transmute_vec_as_bytes
includes the unsound implementation.transmute_vec_as_bytes
Fyrox/fyrox-core/src/lib.rs
Lines 325 to 331 in 3b03ea7
When casting type to
u8
slice, we also need to make sure whether the type won't contain padding bytes. Otherwise, it could lead to uninitialized memory access or break the reliability of program. Based on the usages of the function, we consider the generic typeT
should also implementPod
trait.PoC
In the program above, we passed the
struct
that might contain padding bytes as the generic typeT
. First, when we run with miri, we can get the following results:In the library, we found that this function uses
Vec
as input as internal usages, which will not trigger the bug. However, since this function is provided as public safe API, we should consider the constraints on the generic typeT
. (It is required also because the function name istransmute_"vec"_as_bytes
:)The consequence of UB
We could find that the results of
fv
break the reliability of program under different environment.Compiled with
x86_64
, the results would be:While compiled with
x86
, the results would be:Take the following usages for example,
Fyrox/fyrox-impl/src/scene/terrain/mod.rs
Lines 101 to 112 in 25a2296
The
Texture
built on thisbytes
could have different results...The text was updated successfully, but these errors were encountered: