Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

&'s T&'static T in safe code (UAF) #132186

Closed
rucsesec opened this issue Oct 26, 2024 · 3 comments
Closed

&'s T&'static T in safe code (UAF) #132186

rucsesec opened this issue Oct 26, 2024 · 3 comments
Labels
C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-types Relevant to the types team, which will review and decide on the PR/issue.

Comments

@rucsesec
Copy link

I tried this code:

fn static_str_identity()
  -> for<'s> fn(&'s str) -> (
        [&'static &'s (); 0],
        &'static str,
    )
{
    |s: &str| (
        [],
        s,
    )
}

fn main()
{
    let f = static_str_identity();
    let local = String::from("123");
    let s: &'static str = f(&local).1; // <- should be rejected!
    drop(local);
    let _unrelated = String::from("UAF!");
    dbg!(s); // <- compiles and prints `"UAF!"`
}

I expected to see this happen: argument requires that s is borrowed for 'static

Instead, this happened: code compiles successfully and the excution potentially triggers Use-After-Free on the String local.

rogram returned: 0
Program stderr
[/app/example.rs:21:5] s = "UAF!"

This seems very much like a Use-After-Free issue, and it's quite likely related to the compiler.It can be reproduced in the latest version of the Rust compiler.

rustc --version --verbose:

rustc 1.84.0-nightly (c1db4dc24 2024-10-25)

note: This issue appears to be different from #114936, which was related to the Fn* Trait and was fixed in version 1.78; whereas this problem can still trigger a vulnerability in the latest version.
@rucsesec rucsesec added the C-bug Category: This is a bug. label Oct 26, 2024
@rustbot rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Oct 26, 2024
@Noratrieb Noratrieb added T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness T-types Relevant to the types team, which will review and decide on the PR/issue. and removed needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. labels Oct 26, 2024
@rustbot rustbot added the I-prioritize Issue: Indicates that prioritization has been requested for this issue. label Oct 26, 2024
@compiler-errors
Copy link
Member

compiler-errors commented Oct 26, 2024
edited
Loading

This is just another instance of #25860.

Subtyping when storing the return value of static_str_identity() causes us to "cast away" implied bounds of the output type of the function. This allows us to turn the signature from ([&'static &'s (); 0], &'static str) to ([&'first &'s (); 0], &'second str), for two other arbitrary existential regions 'first and 'second, with only the requirement that 'static: 'first and 'static: 'second.

Then later, when we check that the signature is well-formed at the call-site (f(&local)), we only require that 's: 'first due to the well-formedness of the [&'first &'s (); 0] argument, but don't do anything for the 'second region. That allows us to later constrain 'second: 'static without actually "linking" it to 's, which is the lifetime of the local string we're passing in.

@fmease fmease changed the title &'s T → &'static T in safe code (UAF) &'s T&'static T in safe code (UAF) Oct 26, 2024
@apiraino
Copy link
Contributor

For additional context, T-types is aware of this issue and the current status is summarized at this comment.

@rustbot label -I-prioritize

@rustbot rustbot removed the I-prioritize Issue: Indicates that prioritization has been requested for this issue. label Oct 30, 2024
@lcnr
Copy link
Contributor

lcnr commented Jan 8, 2025

Closing in favor of #25860 which we're slowly working towards. Thank you for finding and reporting this issue 👍

@lcnr lcnr closed this as completed Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-types Relevant to the types team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@compiler-errors @apiraino @lcnr @rustbot @Noratrieb @rucsesec