Unsoundness in fn parse_str_field #170

lwz23 · 2025-03-03T12:16:32Z

Hello, thank you for your contribution in this project, I an testing our static analysis tool in github's Rust project and I notice the following code:

fn parse_str_field(bytes: &[u8]) -> &str {
    unsafe { from_utf8_unchecked(bytes) }
}

I think there is a unsound problem because this function doesn't varify the bytes is valid and pass it to unsafe function form_utf8_unchecked. It will trigger UB. Although it is a private function, I notice a possible way to call this function from a pub function new.

pub fn new -> fn parse_str_field
// 函数: new
pub fn new(fs_image: &'static [u8]) -> InitramFs {
    let mut image = BytesParser::new(fs_image);
    let mut root_files = HashMap::new();
    let mut num_files = 0;
    let mut loaded_size = 0;
    loop {
        let magic = parse_hex_field(image.consume_bytes(6).unwrap());
        if magic != 0x070701 {
            panic!(
                "initramfs: invalid magic (expected {:x}, got {:x})", 0x070701, magic
            );
        }
................................

As the image use fs_image to contruct BytesParser and the parse_hex_field(image.consume_bytes(6).unwrap()); there is no gerentee that fs_image won't contain non-utf8 bytes. So I believe it is unsound.

The text was updated successfully, but these errors were encountered:

lwz23 · 2025-03-03T12:19:14Z

another samilar path is pub fn new -> fn parse_hex_field -> fn parse_str_field. I think a porper solution is add check in fn parse_str_field.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Unsoundness in fn parse_str_field #170

Unsoundness in fn parse_str_field #170

Uh oh!

Unsoundness in fn parse_str_field #170

Unsoundness in fn parse_str_field #170

Comments

Uh oh!