Merge #1214

bors[bot] · asomers · web-flow · commit 154ff5875c50 · 2020-04-13T13:44:39.000Z
1214: Fix UB in getsockopt r=asomers a=asomers The old code tried to zero-initialize an enum for which 0 is not a valid value. That worked for older compilers, but triggers a panic with Rust 1.44.0. The correct technique is to use mem::MaybeUninit. Fixes #1212 Co-authored-by: Alan Somers <asomers@gmail.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,10 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Fixed
 
+- Fixed `getsockopt`.  The old code produced UB which triggers a panic with
+  Rust 1.44.0.
+  (#[1214](https://github.com/nix-rust/nix/pull/1214))
+
 - Fixed a bug in nix::unistd that would result in an infinite loop
   when a group or user lookup required a buffer larger than
   16KB. (#[1198](https://github.com/nix-rust/nix/pull/1198))
diff --git a/src/sys/socket/sockopt.rs b/src/sys/socket/sockopt.rs
@@ -3,7 +3,10 @@ use Result;
 use errno::Errno;
 use sys::time::TimeVal;
 use libc::{self, c_int, c_void, socklen_t};
-use std::mem;
+use std::mem::{
+    self,
+    MaybeUninit
+};
 use std::os::unix::io::RawFd;
 use std::ffi::{OsStr, OsString};
 #[cfg(target_family = "unix")]
@@ -84,14 +87,14 @@ macro_rules! getsockopt_impl {
 
             fn get(&self, fd: RawFd) -> Result<$ty> {
                 unsafe {
-                    let mut getter: $getter = Get::blank();
+                    let mut getter: $getter = Get::uninit();
 
                     let res = libc::getsockopt(fd, $level, $flag,
                                                getter.ffi_ptr(),
                                                getter.ffi_len());
                     Errno::result(res)?;
 
-                    Ok(getter.unwrap())
+                    Ok(getter.assume_init())
                 }
             }
         }
@@ -364,16 +367,16 @@ impl<T> SetSockOpt for AlgSetKey<T> where T: AsRef<[u8]> + Clone {
 
 /// Helper trait that describes what is expected from a `GetSockOpt` getter.
 unsafe trait Get<T> {
-    /// Returns an empty value.
-    unsafe fn blank() -> Self;
+    /// Returns an uninitialized value.
+    unsafe fn uninit() -> Self;
     /// Returns a pointer to the stored value. This pointer will be passed to the system's
     /// `getsockopt` call (`man 3p getsockopt`, argument `option_value`).
     fn ffi_ptr(&mut self) -> *mut c_void;
     /// Returns length of the stored value. This pointer will be passed to the system's
     /// `getsockopt` call (`man 3p getsockopt`, argument `option_len`).
     fn ffi_len(&mut self) -> *mut socklen_t;
-    /// Returns the stored value.
-    unsafe fn unwrap(self) -> T;
+    /// Returns the hopefully initialized inner value.
+    unsafe fn assume_init(self) -> T;
 }
 
 /// Helper trait that describes what is expected from a `SetSockOpt` setter.
@@ -391,28 +394,28 @@ unsafe trait Set<'a, T> {
 /// Getter for an arbitrary `struct`.
 struct GetStruct<T> {
     len: socklen_t,
-    val: T,
+    val: MaybeUninit<T>,
 }
 
 unsafe impl<T> Get<T> for GetStruct<T> {
-    unsafe fn blank() -> Self {
+    unsafe fn uninit() -> Self {
         GetStruct {
             len: mem::size_of::<T>() as socklen_t,
-            val: mem::zeroed(),
+            val: MaybeUninit::uninit(),
         }
     }
 
     fn ffi_ptr(&mut self) -> *mut c_void {
-        &mut self.val as *mut T as *mut c_void
+        self.val.as_mut_ptr() as *mut c_void
     }
 
     fn ffi_len(&mut self) -> *mut socklen_t {
         &mut self.len
     }
 
-    unsafe fn unwrap(self) -> T {
+    unsafe fn assume_init(self) -> T {
         assert_eq!(self.len as usize, mem::size_of::<T>(), "invalid getsockopt implementation");
-        self.val
+        self.val.assume_init()
     }
 }
 
@@ -438,28 +441,28 @@ unsafe impl<'a, T> Set<'a, T> for SetStruct<'a, T> {
 /// Getter for a boolean value.
 struct GetBool {
     len: socklen_t,
-    val: c_int,
+    val: MaybeUninit<c_int>,
 }
 
 unsafe impl Get<bool> for GetBool {
-    unsafe fn blank() -> Self {
+    unsafe fn uninit() -> Self {
         GetBool {
             len: mem::size_of::<c_int>() as socklen_t,
-            val: mem::zeroed(),
+            val: MaybeUninit::uninit(),
         }
     }
 
     fn ffi_ptr(&mut self) -> *mut c_void {
-        &mut self.val as *mut c_int as *mut c_void
+        self.val.as_mut_ptr() as *mut c_void
     }
 
     fn ffi_len(&mut self) -> *mut socklen_t {
         &mut self.len
     }
 
-    unsafe fn unwrap(self) -> bool {
+    unsafe fn assume_init(self) -> bool {
         assert_eq!(self.len as usize, mem::size_of::<c_int>(), "invalid getsockopt implementation");
-        self.val != 0
+        self.val.assume_init() != 0
     }
 }
 
@@ -485,28 +488,28 @@ unsafe impl<'a> Set<'a, bool> for SetBool {
 /// Getter for an `u8` value.
 struct GetU8 {
     len: socklen_t,
-    val: u8,
+    val: MaybeUninit<u8>,
 }
 
 unsafe impl Get<u8> for GetU8 {
-    unsafe fn blank() -> Self {
+    unsafe fn uninit() -> Self {
         GetU8 {
             len: mem::size_of::<u8>() as socklen_t,
-            val: mem::zeroed(),
+            val: MaybeUninit::uninit(),
         }
     }
 
     fn ffi_ptr(&mut self) -> *mut c_void {
-        &mut self.val as *mut u8 as *mut c_void
+        self.val.as_mut_ptr() as *mut c_void
     }
 
     fn ffi_len(&mut self) -> *mut socklen_t {
         &mut self.len
     }
 
-    unsafe fn unwrap(self) -> u8 {
+    unsafe fn assume_init(self) -> u8 {
         assert_eq!(self.len as usize, mem::size_of::<u8>(), "invalid getsockopt implementation");
-        self.val as u8
+        self.val.assume_init()
     }
 }
 
@@ -532,28 +535,28 @@ unsafe impl<'a> Set<'a, u8> for SetU8 {
 /// Getter for an `usize` value.
 struct GetUsize {
     len: socklen_t,
-    val: c_int,
+    val: MaybeUninit<c_int>,
 }
 
 unsafe impl Get<usize> for GetUsize {
-    unsafe fn blank() -> Self {
+    unsafe fn uninit() -> Self {
         GetUsize {
             len: mem::size_of::<c_int>() as socklen_t,
-            val: mem::zeroed(),
+            val: MaybeUninit::uninit(),
         }
     }
 
     fn ffi_ptr(&mut self) -> *mut c_void {
-        &mut self.val as *mut c_int as *mut c_void
+        self.val.as_mut_ptr() as *mut c_void
     }
 
     fn ffi_len(&mut self) -> *mut socklen_t {
         &mut self.len
     }
 
-    unsafe fn unwrap(self) -> usize {
+    unsafe fn assume_init(self) -> usize {
         assert_eq!(self.len as usize, mem::size_of::<c_int>(), "invalid getsockopt implementation");
-        self.val as usize
+        self.val.assume_init() as usize
     }
 }
 
@@ -579,27 +582,29 @@ unsafe impl<'a> Set<'a, usize> for SetUsize {
 /// Getter for a `OsString` value.
 struct GetOsString<T: AsMut<[u8]>> {
     len: socklen_t,
-    val: T,
+    val: MaybeUninit<T>,
 }
 
 unsafe impl<T: AsMut<[u8]>> Get<OsString> for GetOsString<T> {
-    unsafe fn blank() -> Self {
+    unsafe fn uninit() -> Self {
         GetOsString {
             len: mem::size_of::<T>() as socklen_t,
-            val: mem::zeroed(),
+            val: MaybeUninit::uninit(),
         }
     }
 
     fn ffi_ptr(&mut self) -> *mut c_void {
-        &mut self.val as *mut T as *mut c_void
+        self.val.as_mut_ptr() as *mut c_void
     }
 
     fn ffi_len(&mut self) -> *mut socklen_t {
         &mut self.len
     }
 
-    unsafe fn unwrap(mut self) -> OsString {
-        OsStr::from_bytes(self.val.as_mut()).to_owned()
+    unsafe fn assume_init(self) -> OsString {
+        let len = self.len as usize;
+        let mut v = self.val.assume_init();
+        OsStr::from_bytes(&v.as_mut()[0..len]).to_owned()
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,10 @@ use Result;`
`3`	`3`	`use errno::Errno;`
`4`	`4`	`use sys::time::TimeVal;`
`5`	`5`	`use libc::{self, c_int, c_void, socklen_t};`
`6`		`-use std::mem;`
	`6`	`+use std::mem::{`
	`7`	`+ self,`
	`8`	`+ MaybeUninit`
	`9`	`+};`
`7`	`10`	`use std::os::unix::io::RawFd;`
`8`	`11`	`use std::ffi::{OsStr, OsString};`
`9`	`12`	`#[cfg(target_family = "unix")]`
`@@ -84,14 +87,14 @@ macro_rules! getsockopt_impl {`
`84`	`87`
`85`	`88`	`fn get(&self, fd: RawFd) -> Result<$ty> {`
`86`	`89`	`unsafe {`
`87`		`- let mut getter: $getter = Get::blank();`
	`90`	`+ let mut getter: $getter = Get::uninit();`
`88`	`91`
`89`	`92`	`let res = libc::getsockopt(fd, $level, $flag,`
`90`	`93`	`getter.ffi_ptr(),`
`91`	`94`	`getter.ffi_len());`
`92`	`95`	`Errno::result(res)?;`
`93`	`96`
`94`		`- Ok(getter.unwrap())`
	`97`	`+ Ok(getter.assume_init())`
`95`	`98`	`}`
`96`	`99`	`}`
`97`	`100`	`}`
`@@ -364,16 +367,16 @@ impl<T> SetSockOpt for AlgSetKey<T> where T: AsRef<[u8]> + Clone {`
`364`	`367`
`365`	`368`	/// Helper trait that describes what is expected from a `GetSockOpt` getter.
`366`	`369`	`unsafe trait Get<T> {`
`367`		`- /// Returns an empty value.`
`368`		`- unsafe fn blank() -> Self;`
	`370`	`+ /// Returns an uninitialized value.`
	`371`	`+ unsafe fn uninit() -> Self;`
`369`	`372`	`/// Returns a pointer to the stored value. This pointer will be passed to the system's`
`370`	`373`	/// `getsockopt` call (`man 3p getsockopt`, argument `option_value`).
`371`	`374`	`fn ffi_ptr(&mut self) -> *mut c_void;`
`372`	`375`	`/// Returns length of the stored value. This pointer will be passed to the system's`
`373`	`376`	/// `getsockopt` call (`man 3p getsockopt`, argument `option_len`).
`374`	`377`	`fn ffi_len(&mut self) -> *mut socklen_t;`
`375`		`- /// Returns the stored value.`
`376`		`- unsafe fn unwrap(self) -> T;`
	`378`	`+ /// Returns the hopefully initialized inner value.`
	`379`	`+ unsafe fn assume_init(self) -> T;`
`377`	`380`	`}`
`378`	`381`
`379`	`382`	/// Helper trait that describes what is expected from a `SetSockOpt` setter.
`@@ -391,28 +394,28 @@ unsafe trait Set<'a, T> {`
`391`	`394`	/// Getter for an arbitrary `struct`.
`392`	`395`	`struct GetStruct<T> {`
`393`	`396`	`len: socklen_t,`
`394`		`- val: T,`
	`397`	`+ val: MaybeUninit<T>,`
`395`	`398`	`}`
`396`	`399`
`397`	`400`	`unsafe impl<T> Get<T> for GetStruct<T> {`
`398`		`- unsafe fn blank() -> Self {`
	`401`	`+ unsafe fn uninit() -> Self {`
`399`	`402`	`GetStruct {`
`400`	`403`	`len: mem::size_of::<T>() as socklen_t,`
`401`		`- val: mem::zeroed(),`
	`404`	`+ val: MaybeUninit::uninit(),`
`402`	`405`	`}`
`403`	`406`	`}`
`404`	`407`
`405`	`408`	`fn ffi_ptr(&mut self) -> *mut c_void {`
`406`		`- &mut self.val as mut T as mut c_void`
	`409`	`+ self.val.as_mut_ptr() as *mut c_void`
`407`	`410`	`}`
`408`	`411`
`409`	`412`	`fn ffi_len(&mut self) -> *mut socklen_t {`
`410`	`413`	`&mut self.len`
`411`	`414`	`}`
`412`	`415`
`413`		`- unsafe fn unwrap(self) -> T {`
	`416`	`+ unsafe fn assume_init(self) -> T {`
`414`	`417`	`assert_eq!(self.len as usize, mem::size_of::<T>(), "invalid getsockopt implementation");`
`415`		`- self.val`
	`418`	`+ self.val.assume_init()`
`416`	`419`	`}`
`417`	`420`	`}`
`418`	`421`
`@@ -438,28 +441,28 @@ unsafe impl<'a, T> Set<'a, T> for SetStruct<'a, T> {`
`438`	`441`	`/// Getter for a boolean value.`
`439`	`442`	`struct GetBool {`
`440`	`443`	`len: socklen_t,`
`441`		`- val: c_int,`
	`444`	`+ val: MaybeUninit<c_int>,`
`442`	`445`	`}`
`443`	`446`
`444`	`447`	`unsafe impl Get<bool> for GetBool {`
`445`		`- unsafe fn blank() -> Self {`
	`448`	`+ unsafe fn uninit() -> Self {`
`446`	`449`	`GetBool {`
`447`	`450`	`len: mem::size_of::<c_int>() as socklen_t,`
`448`		`- val: mem::zeroed(),`
	`451`	`+ val: MaybeUninit::uninit(),`
`449`	`452`	`}`
`450`	`453`	`}`
`451`	`454`
`452`	`455`	`fn ffi_ptr(&mut self) -> *mut c_void {`
`453`		`- &mut self.val as mut c_int as mut c_void`
	`456`	`+ self.val.as_mut_ptr() as *mut c_void`
`454`	`457`	`}`
`455`	`458`
`456`	`459`	`fn ffi_len(&mut self) -> *mut socklen_t {`
`457`	`460`	`&mut self.len`
`458`	`461`	`}`
`459`	`462`
`460`		`- unsafe fn unwrap(self) -> bool {`
	`463`	`+ unsafe fn assume_init(self) -> bool {`
`461`	`464`	`assert_eq!(self.len as usize, mem::size_of::<c_int>(), "invalid getsockopt implementation");`
`462`		`- self.val != 0`
	`465`	`+ self.val.assume_init() != 0`
`463`	`466`	`}`
`464`	`467`	`}`
`465`	`468`
`@@ -485,28 +488,28 @@ unsafe impl<'a> Set<'a, bool> for SetBool {`
`485`	`488`	/// Getter for an `u8` value.
`486`	`489`	`struct GetU8 {`
`487`	`490`	`len: socklen_t,`
`488`		`- val: u8,`
	`491`	`+ val: MaybeUninit<u8>,`
`489`	`492`	`}`
`490`	`493`
`491`	`494`	`unsafe impl Get<u8> for GetU8 {`
`492`		`- unsafe fn blank() -> Self {`
	`495`	`+ unsafe fn uninit() -> Self {`
`493`	`496`	`GetU8 {`
`494`	`497`	`len: mem::size_of::<u8>() as socklen_t,`
`495`		`- val: mem::zeroed(),`
	`498`	`+ val: MaybeUninit::uninit(),`
`496`	`499`	`}`
`497`	`500`	`}`
`498`	`501`
`499`	`502`	`fn ffi_ptr(&mut self) -> *mut c_void {`
`500`		`- &mut self.val as mut u8 as mut c_void`
	`503`	`+ self.val.as_mut_ptr() as *mut c_void`
`501`	`504`	`}`
`502`	`505`
`503`	`506`	`fn ffi_len(&mut self) -> *mut socklen_t {`
`504`	`507`	`&mut self.len`
`505`	`508`	`}`
`506`	`509`
`507`		`- unsafe fn unwrap(self) -> u8 {`
	`510`	`+ unsafe fn assume_init(self) -> u8 {`
`508`	`511`	`assert_eq!(self.len as usize, mem::size_of::<u8>(), "invalid getsockopt implementation");`
`509`		`- self.val as u8`
	`512`	`+ self.val.assume_init()`
`510`	`513`	`}`
`511`	`514`	`}`
`512`	`515`
`@@ -532,28 +535,28 @@ unsafe impl<'a> Set<'a, u8> for SetU8 {`
`532`	`535`	/// Getter for an `usize` value.
`533`	`536`	`struct GetUsize {`
`534`	`537`	`len: socklen_t,`
`535`		`- val: c_int,`
	`538`	`+ val: MaybeUninit<c_int>,`
`536`	`539`	`}`
`537`	`540`
`538`	`541`	`unsafe impl Get<usize> for GetUsize {`
`539`		`- unsafe fn blank() -> Self {`
	`542`	`+ unsafe fn uninit() -> Self {`
`540`	`543`	`GetUsize {`
`541`	`544`	`len: mem::size_of::<c_int>() as socklen_t,`
`542`		`- val: mem::zeroed(),`
	`545`	`+ val: MaybeUninit::uninit(),`
`543`	`546`	`}`
`544`	`547`	`}`
`545`	`548`
`546`	`549`	`fn ffi_ptr(&mut self) -> *mut c_void {`
`547`		`- &mut self.val as mut c_int as mut c_void`
	`550`	`+ self.val.as_mut_ptr() as *mut c_void`
`548`	`551`	`}`
`549`	`552`
`550`	`553`	`fn ffi_len(&mut self) -> *mut socklen_t {`
`551`	`554`	`&mut self.len`
`552`	`555`	`}`
`553`	`556`
`554`		`- unsafe fn unwrap(self) -> usize {`
	`557`	`+ unsafe fn assume_init(self) -> usize {`
`555`	`558`	`assert_eq!(self.len as usize, mem::size_of::<c_int>(), "invalid getsockopt implementation");`
`556`		`- self.val as usize`
	`559`	`+ self.val.assume_init() as usize`
`557`	`560`	`}`
`558`	`561`	`}`
`559`	`562`
`@@ -579,27 +582,29 @@ unsafe impl<'a> Set<'a, usize> for SetUsize {`
`579`	`582`	/// Getter for a `OsString` value.
`580`	`583`	`struct GetOsString<T: AsMut<[u8]>> {`
`581`	`584`	`len: socklen_t,`
`582`		`- val: T,`
	`585`	`+ val: MaybeUninit<T>,`
`583`	`586`	`}`
`584`	`587`
`585`	`588`	`unsafe impl<T: AsMut<[u8]>> Get<OsString> for GetOsString<T> {`
`586`		`- unsafe fn blank() -> Self {`
	`589`	`+ unsafe fn uninit() -> Self {`
`587`	`590`	`GetOsString {`
`588`	`591`	`len: mem::size_of::<T>() as socklen_t,`
`589`		`- val: mem::zeroed(),`
	`592`	`+ val: MaybeUninit::uninit(),`
`590`	`593`	`}`
`591`	`594`	`}`
`592`	`595`
`593`	`596`	`fn ffi_ptr(&mut self) -> *mut c_void {`
`594`		`- &mut self.val as mut T as mut c_void`
	`597`	`+ self.val.as_mut_ptr() as *mut c_void`
`595`	`598`	`}`
`596`	`599`
`597`	`600`	`fn ffi_len(&mut self) -> *mut socklen_t {`
`598`	`601`	`&mut self.len`
`599`	`602`	`}`
`600`	`603`
`601`		`- unsafe fn unwrap(mut self) -> OsString {`
`602`		`- OsStr::from_bytes(self.val.as_mut()).to_owned()`
	`604`	`+ unsafe fn assume_init(self) -> OsString {`
	`605`	`+ let len = self.len as usize;`
	`606`	`+ let mut v = self.val.assume_init();`
	`607`	`+ OsStr::from_bytes(&v.as_mut()[0..len]).to_owned()`
`603`	`608`	`}`
`604`	`609`	`}`
`605`	`610`