Arbitrary Shell Execution through #[link_section]

[JohnHVancouver]

The shell code in init_array is always executed first leading to arbitrary shell execution potentially.

-- Repro removed temporarily

Is there something in Cargo/rustc or a more "Rust" way to detect and prevent these things?

[workingjubilee]

These kinds of things can be filtered via this flotilla of lints: rust-lang/rust#82499

[workingjubilee]

I probably need to redesign the unsafe detection, there was an alternate design that used a shell-game around building the code without the #[pg_extern] annotation, which would allow straightforward usage of #[forbid(unsafe_code)] and a few other lints, as a verification step, and then rebuilding the code with it (and with less lints), and then skipped using geiger.

[workingjubilee]

The naive solution might be to just scan for #[ and error during parsing the code, but I'm not familiar with how Rust interprets Attributes, it seems something like works as well.

To address this part of your question more directly: Rust is very, very lax about whitespace in most cases where a logical segment in the parse could be interpreted as existing.

[jbrindle]

What lints can we add to Cargo.toml to validate that they will actually catch this behavior?

[workingjubilee]

It involves restructuring the build a bit to let us do a "dry run" pre-build and then do it "for real", as mentioned. I am working on that PR.

[workingjubilee]

I have a draft branch for this that successfully catches this specific example, but it is still technically possible to get #[link_section] without #[no_mangle] by, unless using a higher rustc version than 1.61.0, so I will polish it up and submit it next week but it will contain an ignored test unless we also have consensus on raising MSRV.

[workingjubilee]

TODO:

• Test for #[no_mangle]
  • ...passes
  • ...on main
• Test for #[link_section]
  • ...passes
  • ...on main