serde_fressian::wasm::from_ptr should be marked unsafe
ammaraskar opened this issue · 0 comments
ammaraskar commented
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed that the serde_fressian::wasm::from_ptr
function dereferences a raw pointer provided by the user to deserialize:
serde-fressian/src/wasm/mod.rs
Lines 76 to 80 in 64e829e
This method should probably be marked unsafe
so that the user upholds the documented invariant of passing in valid pointers with ownership. Otherwise, this allows a user to cause a memory safety bug using entirely safe Rust code such as the following:
#![forbid(unsafe_code)]
use serde_fressian::wasm::from_ptr;
fn return_raw_pointer() -> *mut u8 {
let mut array: [u8; 4] = [0x41, 0x42, 0x43, 0x44];
array.as_mut_ptr()
}
fn main() {
let raw_ptr = return_raw_pointer();
let deserialized : i32 = from_ptr(raw_ptr, 4).unwrap();
println!("{:x}", deserialized);
assert!(deserialized == 0x41424344)
}
This outputs:
fffff142
thread 'main' panicked at 'assertion failed: deserialized == 0x41424344', src/main.rs:32:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Return code 101