diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2019-01-25 13:25:30 +0100 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2019-01-25 14:04:26 +0100 |
| commit | 2a162dcaf165e59b72a24825bdc2e1c627979d23 (patch) | |
| tree | c37e20eb031a33940baa89b2b823169b6553a511 /ffi-macros/src/lib.rs | |
| parent | 118a86b0302b4bb35b1f1bbef50b2a042f239384 (diff) | |
ffi-macros: Protect against use-after-free.
- When we transfer ownership from C to Rust, we move the wrapped
object out of the wrapper, and poison the wrapper.
- This prevents reuse of the wrapper object. When a stale reference
is given to us, we check the tag encoding the type information.
- If the tag field is poisoned, we can produce a more helpful error
message. This is not exact, of course. As soon as the memory is
reused, our tag is overwritten.
Diffstat (limited to 'ffi-macros/src/lib.rs')
| -rw-r--r-- | ffi-macros/src/lib.rs | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/ffi-macros/src/lib.rs b/ffi-macros/src/lib.rs index 0d659687..7bedb0ce 100644 --- a/ffi-macros/src/lib.rs +++ b/ffi-macros/src/lib.rs @@ -309,7 +309,13 @@ fn derive_conversion_functions(st: &mut syn::ItemStruct, _: &str, _: &str, impl #wrapper { fn assert_tag(&self) { if self.1 != #magic_value { - panic!("FFI contract violation: Wrong parameter type"); + if self.1 == 0x5050505050505050 { + panic!( + "FFI contract violation: Use-after-free detected"); + } else { + panic!( + "FFI contract violation: Wrong parameter type"); + } } } } @@ -320,11 +326,21 @@ fn derive_conversion_functions(st: &mut syn::ItemStruct, _: &str, _: &str, if self.is_null() { panic!("FFI contract violation: Parameter is NULL"); } - let wrapper = unsafe { + let mut wrapper = unsafe { Box::from_raw(self) }; wrapper.assert_tag(); - wrapper.0 + let obj = wrapper.0; + + // Poison the wrapper. + unsafe { + // Overwrite with P. + memsec::memset(self as *mut u8, + 0x50, + ::std::mem::size_of::<#wrapper>()) + }; + + obj } } |