AtomicStr is unsound, causes use-after-free

Question

AtomicStr is unsound, causes use-after-free

Closed this issue 8 months ago · 1 comments

Minimal example:

use std::thread::spawn;

use rust_i18n::{t, set_locale};

rust_i18n::i18n!("locales", fallback = "en");

fn main() {
    set_locale("fr");
    spawn(|| {
        let mut i = 0u32;
        loop {
            i = i.wrapping_add(1);
            if i % 2 == 0 {
                set_locale(&format!("en-{i}"));
            } else {
                set_locale(&format!("fr-{i}"));
            }
        }
    });
    spawn(|| {
        loop {
            t!("hello");
        }
    });
}

cargo r -r

malloc(): unaligned fastbin chunk detected
Aborted

cargo +nightly miri r

error: Undefined Behavior: not granting access to tag <108954> because that would remove [Unique for <111597>] which is strongly protected because it is an argument of call 53836
   --> /home/kijewski/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/non_null.rs:399:18
    |
399 |         unsafe { &*self.as_ptr().cast_const() }
    |                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ not granting access to tag <108954> because that would remove [Unique for <111597>] which is strongly protected because it is an argument of call 53836
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information

Answer 1 · 2024-01-19T14:43:35.000Z

I reported the bug to rustsec/advisory-db#1855 because your otherwise great crate is widely used.