From 124289b058f0d339a010127067d987b9a90f4137 Mon Sep 17 00:00:00 2001 From: Rafael Date: Wed, 4 Dec 2024 23:00:01 -0500 Subject: [PATCH] Report unsoundness in pprof (#2160) * report unsoundness in pprof * report unsoundness in pprof * report unsoundness in pprof * report unsoundness in pprof --- crates/pprof/RUSTSEC-0000-0000.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 crates/pprof/RUSTSEC-0000-0000.md diff --git a/crates/pprof/RUSTSEC-0000-0000.md b/crates/pprof/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..a997ba779 --- /dev/null +++ b/crates/pprof/RUSTSEC-0000-0000.md @@ -0,0 +1,29 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "pprof" +date = "2024-12-04" +url = "https://github.com/tikv/pprof-rs/issues/232" +references = ["https://github.com/tikv/pprof-rs/pull/255"] +categories = [] +keywords = ["align", "uninitialized"] +informational = "unsound" + +[versions] +patched = [">= 0.14.0"] + +[affected] +functions = {"pprof::report::ReportBuilder::build" = ["< 0.14.0"], "pprof::validate" = ["< 0.14.0"]} +``` + +# Unsound usages of `std::slice::from_raw_parts` + +The library breaks the safety assumptions when using unsafe API `std::slice::from_raw_parts`. First, when using the API in iterator implementation (`TempFdArrayIterator.next`), generic type could be any type, which would create and pass a misaligned pointer to the unsafe API. Second, when validating the address, the code passed the type `c_void`, which could also be any type, leading to potential uninitialized memory exposure. + +Two unsound usages here highlight the necessity for developers to perform type checks before doing type conversion with unsafe API. + +The panic caused by the misalignment causes several downstream applications (e.g., `greptimedb`) to crash when using `pprof::report::ReportBuilder::build`. + +This was patched in 0.14.0. + +The developer also suggested moving to [pprof2](https://crates.io/crates/pprof2).