some panic safety issues that cause double free in unwind branch #1

cchanging · 2021-04-21T03:09:43Z

Hi there, we detected a few potential panic safety issues in this library.
double free will appear mainly caused by panic happened between Box::from_raw and std::mem::forget.
example as follows:

rose-tools/rose-lib-ffi/src/zms.rs

Lines 18 to 28 in 11fc557

    
           pub unsafe extern "C" fn mesh_read(mesh: *mut Mesh, path: *const libc::c_char) -> bool { 
        
               let mut zms = Box::from_raw(mesh); 
        
               let path_str = CStr::from_ptr(path).to_str().unwrap_or_default(); 
        
               let p = PathBuf::from(path_str); 
        
               let res = zms.read_from_path(&p).is_ok(); 
        
               std::mem::forget(zms); 
        
               res 
        
           }

When panic occurs in let res = zms.read_from_path(&p).is_ok(); or the other codes between Box::from_raw and std::mem::forget , the zms will be dropped in unwinding and make the mesh an empty pointer, which will cause double-free bug in the upper function.
You can use mem:ManuallyDrop::new(Box::from_raw(mesh)) instead to avoid this problem.
This type of bug is difficult to detect with test cases, but it does pose a security risk.

The text was updated successfully, but these errors were encountered:

cchanging changed the title ~~some panic safety issues that caused double free in unwind branch~~ some panic safety issues that cause double free in unwind branch Apr 21, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

some panic safety issues that cause double free in unwind branch #1

some panic safety issues that cause double free in unwind branch #1

cchanging commented Apr 21, 2021

some panic safety issues that cause double free in unwind branch #1

some panic safety issues that cause double free in unwind branch #1

Comments

cchanging commented Apr 21, 2021