Stream: wg-secure-code

Topic: Is it safe?


Tony Arcieri (Jan 28 2020 at 13:38, on Zulip):

got an unsafe-using PR to zeroize: https://github.com/iqlusioninc/crates/pull/341/files

Tony Arcieri (Jan 28 2020 at 13:38, on Zulip):

at first glance it seems ok

Alex Gaynor (Jan 28 2020 at 13:39, on Zulip):

I think this is technically UB, since it can create a slice of uninitialized memory.

Alex Gaynor (Jan 28 2020 at 13:40, on Zulip):

IIUC, you want https://github.com/rust-lang/rust/pull/68234 which was stabalized yesterday :-)

Tony Arcieri (Jan 28 2020 at 13:49, on Zulip):

It does, but then it immediately uses it for ptr::write_volatile. perhaps there's no need to ever go to a slice to begin with

HeroicKatora (Jan 28 2020 at 13:50, on Zulip):

One possible course to avoid all that manual multiplication and the unsoundness would be to create a [MaybeUninit<T>] slice instead, is MaybeUninit<T>: Zeroize?

HeroicKatora (Jan 28 2020 at 13:54, on Zulip):

And if not, it probably should be.

Tony Arcieri (Jan 28 2020 at 13:57, on Zulip):

perhaps MaybeUninit<Z>: Zeroize where Z: Zeroize

Tony Arcieri (Jan 28 2020 at 13:57, on Zulip):

or more like MaybeUninit<Z>: Zeroize where Z: DefaultIsZeroes

HeroicKatora (Jan 28 2020 at 13:59, on Zulip):

I mean MaybeUninit<Z>: Zeroize without any conditions. MaybeUninit::zeroed() is stable as well.

HeroicKatora (Jan 28 2020 at 13:59, on Zulip):

But of course the bound would be sufficient for this case, you can always relax it later if you feel more comfortable with that course.

Tony Arcieri (Jan 28 2020 at 14:01, on Zulip):

I guess that's an option

Tony Arcieri (Jan 29 2020 at 13:51, on Zulip):

PR updated to work entirely in terms of *mut u8

Tony Arcieri (Jan 29 2020 at 13:51, on Zulip):

I think it looks okay now but...

Tony Arcieri (Jan 29 2020 at 16:16, on Zulip):

I wonder if there's a safer way to implement it...

Tony Arcieri (Jan 30 2020 at 21:35, on Zulip):

heh uhh, what https://github.com/iqlusioninc/crates/pull/341#discussion_r373196098

Tony Arcieri (Jan 30 2020 at 21:59, on Zulip):

aaaand I think we just got further in the weeds :weary:

Tony Arcieri (Jan 30 2020 at 22:14, on Zulip):

I'm failing to see what's "UB" about writing zeros to what is otherwise properly allocated but otherwise uninitialized memory

Tony Arcieri (Jan 30 2020 at 22:15, on Zulip):

and then never reading from it until it's initialized

Tony Arcieri (Jan 30 2020 at 22:33, on Zulip):

It seems like the argument is: given bugs in the Vec API, and hypothetical changes to the Rust compiler, some ill-defined problem could occur

Tony Arcieri (Jan 30 2020 at 22:39, on Zulip):

aah I get it now, it would unsafely expose mem::zeroed to safe Rust via the type parameter

Tony Arcieri (Jan 30 2020 at 22:39, on Zulip):

I hate unafe

Last update: Jul 02 2020 at 17:55UTC