Unsound implementation of transmute_vec_as_bytes
in fyrox-core
#630
Labels
good first issue
Good for newcomers
transmute_vec_as_bytes
in fyrox-core
#630
Hi, we are researchers from SunLab. We consider the safe function
transmute_vec_as_bytes
includes the unsound implementation.transmute_vec_as_bytes
Fyrox/fyrox-core/src/lib.rs
Lines 325 to 331 in 3b03ea7
When casting type to
u8
slice, we also need to make sure whether the type won't contain padding bytes. Otherwise, it could lead to uninitialized memory access or break the reliability of program. Based on the usages of the function, we consider the generic typeT
should also implementPod
trait.PoC
In the program above, we passed the
struct
that might contain padding bytes as the generic typeT
. First, when we run with miri, we can get the following results:In the library, we found that this function uses
Vec
as input as internal usages, which will not trigger the bug. However, since this function is provided as public safe API, we should consider the constraints on the generic typeT
. (It is required also because the function name istransmute_"vec"_as_bytes
:)The consequence of UB
We could find that the results of
fv
break the reliability of program under different environment.Compiled with
x86_64
, the results would be:While compiled with
x86
, the results would be:Take the following usages for example,
Fyrox/fyrox-impl/src/scene/terrain/mod.rs
Lines 101 to 112 in 25a2296
The
Texture
built on thisbytes
could have different results...The text was updated successfully, but these errors were encountered: