Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulkan: Avoid undefined behaviour with adversarial debug label #6257

Merged
merged 2 commits into from
Sep 12, 2024
Merged

Vulkan: Avoid undefined behaviour with adversarial debug label #6257

merged 2 commits into from
Sep 12, 2024

Conversation

DJMcNab
Copy link
Contributor

@DJMcNab DJMcNab commented Sep 12, 2024
edited
Loading

Connections

This method was first added in #1471
There was no discussion at the time about this use of unsafe, and the original code in gfx-hal does not have this unsoundness.

Description
In Rust, it is valid for an &str to contain an interior nul byte.
However, the Vulkan debug object name code uses CStr::from_bytes_with_nul_unchecked with a user-provided &str, on which as far as I can see there is no additional validation.

This is technically an unsoundness fix, but I don't think it's a significant security issue, and so would not recommend backporting this fix.

The tradeoff I have chosen to make in the case of an interior nul-byte is to truncate to that byte.
Alternatives include:

  • Replacing it with another ascii byte (0?)
  • Panicking

It's also not clear to me why set_object_name is unsafe, as there are no provided preconditions.
I guessed at some, but would be happier just removing the unsafe marker entirely.

Testing
This change is untested.

Checklist

  • Run cargo fmt.
  • Run cargo clippy
  • Run cargo xtask test to run tests. (Same behaviour as on main of crashing my editor)
  • Add change to CHANGELOG.md. See simple instructions inside file.

@DJMcNab DJMcNab requested a review from a team as a code owner September 12, 2024 08:44
nical
nical reviewed Sep 12, 2024
View reviewed changes
Copy link
Contributor

@nical nical left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wow, thanks for catching that. I think that we have to add the trailing null byte here, since the string comes from the wgpu API which expects regular rust strings.

@DJMcNab
Copy link
Contributor Author

DJMcNab commented Sep 12, 2024

I don't understand what you're asking me to change? The code above this line already adds a nul byte - this line of code just doesn't take into account the possibility that there's already an extant nul byte.

@nical
Copy link
Contributor

nical commented Sep 12, 2024

Oh sorry I skimmed over this too quickly. You are right, the fix makes sense. Thanks!

@nical nical merged commit c2e0ad2 into gfx-rs:trunk Sep 12, 2024
25 checks passed
@DJMcNab DJMcNab deleted the name_null branch September 12, 2024 13:07
ErichDonGubler added a commit to erichdongubler-mozilla/wgpu that referenced this pull request Oct 25, 2024
@ErichDonGubler
docs(CHANGELOG): change gfx-rs#6257 entry to match PR title
2029691
ErichDonGubler added a commit to erichdongubler-mozilla/wgpu that referenced this pull request Oct 29, 2024
@ErichDonGubler
docs(CHANGELOG): change gfx-rs#6257 entry to match PR title
151d262
ErichDonGubler added a commit to erichdongubler-mozilla/wgpu that referenced this pull request Oct 30, 2024
@ErichDonGubler
docs(CHANGELOG): change gfx-rs#6257 entry to match PR title
0c1fbb4
ErichDonGubler added a commit that referenced this pull request Oct 30, 2024
@ErichDonGubler
docs(CHANGELOG): change #6257 entry to match PR title
14ea19a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nical nical nical approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DJMcNab @nical