Remove some unsafe code; fix a soundness hole

joshlf · joshlf · commit c46b513b3859 · 2025-07-11T14:59:13.000-04:00
Replace a number of lines of unsafe code with safe equivalents, some using `zerocopy`. In one instance, fix a soundness hole (#720). Closes #720
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -28,6 +28,7 @@ exclude = [
 [dependencies]
 cfg-if = "1.0"
 rustc-demangle = "0.1.24"
+zerocopy = { version = "0.8.26", features = ["derive"] }
 
 # Optionally enable the ability to serialize a `Backtrace`, controlled through
 # the `serialize-serde` feature below.
diff --git a/crates/as-if-std/Cargo.toml b/crates/as-if-std/Cargo.toml
@@ -15,6 +15,7 @@ bench = false
 cfg-if = "1.0"
 rustc-demangle = "0.1.21"
 libc = { version = "0.2.156", default-features = false }
+zerocopy = { version = "0.8.26", features = ["derive"] }
 
 [target.'cfg(not(all(windows, target_env = "msvc", not(target_vendor = "uwp"))))'.dependencies]
 miniz_oxide = { version = "0.8", optional = true, default-features = false }
diff --git a/src/backtrace/win32.rs b/src/backtrace/win32.rs
@@ -13,6 +13,8 @@ use super::super::{dbghelp, windows_sys::*};
 use core::ffi::c_void;
 use core::mem;
 
+use zerocopy::{FromBytes, FromZeros};
+
 #[derive(Clone, Copy)]
 pub enum StackFrame {
     New(STACKFRAME_EX),
@@ -92,6 +94,7 @@ impl Frame {
 }
 
 #[repr(C, align(16))] // required by `CONTEXT`, is a FIXME in windows metadata right now
+#[derive(FromBytes)]
 struct MyContext(CONTEXT);
 
 #[inline(always)]
@@ -100,7 +103,7 @@ pub unsafe fn trace(cb: &mut dyn FnMut(&super::Frame) -> bool) {
     let process = GetCurrentProcess();
     let thread = GetCurrentThread();
 
-    let mut context = mem::zeroed::<MyContext>();
+    let mut context = MyContext::new_zeroed();
     RtlCaptureContext(&mut context.0);
 
     // Ensure this process's symbols are initialized
diff --git a/src/backtrace/win64.rs b/src/backtrace/win64.rs
@@ -8,6 +8,7 @@
 
 use super::super::windows_sys::*;
 use core::ffi::c_void;
+use zerocopy::{FromBytes, FromZeros};
 
 #[derive(Clone, Copy)]
 pub struct Frame {
@@ -46,6 +47,7 @@ impl Frame {
     }
 }
 
+#[derive(FromBytes)]
 #[repr(C, align(16))] // required by `CONTEXT`, is a FIXME in windows metadata right now
 struct MyContext(CONTEXT);
 
@@ -80,8 +82,7 @@ pub unsafe fn trace(cb: &mut dyn FnMut(&super::Frame) -> bool) {
     use core::ptr;
 
     // Capture the initial context to start walking from.
-    // FIXME: shouldn't this have a Default impl?
-    let mut context = unsafe { core::mem::zeroed::<MyContext>() };
+    let mut context = MyContext::new_zeroed();
     unsafe { RtlCaptureContext(&mut context.0) };
 
     loop {
diff --git a/src/print/fuchsia.rs b/src/print/fuchsia.rs
@@ -1,7 +1,8 @@
 use core::fmt::{self, Write};
-use core::mem::{size_of, transmute};
+use core::mem::size_of;
 use core::slice::from_raw_parts;
 use libc::c_char;
+use zerocopy::{FromBytes, Immutable, IntoBytes, KnownLayout};
 
 unsafe extern "C" {
     // dl_iterate_phdr takes a callback that will receive a dl_phdr_info pointer
@@ -119,6 +120,7 @@ const NT_GNU_BUILD_ID: u32 = 3;
 // Elf_Nhdr represents an ELF note header in the endianness of the target.
 #[allow(non_camel_case_types)]
 #[repr(C)]
+#[derive(FromBytes, IntoBytes, KnownLayout, Immutable)]
 struct Elf_Nhdr {
     n_namesz: u32,
     n_descsz: u32,
@@ -181,15 +183,9 @@ fn take_bytes_align4<'a>(num: usize, bytes: &mut &'a [u8]) -> Option<&'a [u8]> {
 // architectures correctness). The values in the Elf_Nhdr fields might
 // be nonsense but this function ensures no such thing.
 fn take_nhdr<'a>(bytes: &mut &'a [u8]) -> Option<&'a Elf_Nhdr> {
-    if size_of::<Elf_Nhdr>() > bytes.len() {
-        return None;
-    }
-    // This is safe as long as there is enough space and we just confirmed that
-    // in the if statement above so this should not be unsafe.
-    let out = unsafe { transmute::<*const u8, &'a Elf_Nhdr>(bytes.as_ptr()) };
-    // Note that sice_of::<Elf_Nhdr>() is always 4-byte aligned.
-    *bytes = &bytes[size_of::<Elf_Nhdr>()..];
-    Some(out)
+    let (hdr, suffix) = Elf_Nhdr::ref_from_prefix(*bytes).ok()?;
+    *bytes = suffix;
+    Some(hdr)
 }
 
 impl<'a> Iterator for NoteIter<'a> {
diff --git a/src/symbolize/dbghelp.rs b/src/symbolize/dbghelp.rs
@@ -222,9 +222,20 @@ unsafe fn do_resolve(
     get_line_from_addr: impl FnOnce(&mut IMAGEHLP_LINEW64) -> BOOL,
     cb: &mut dyn FnMut(&super::Symbol),
 ) {
-    const SIZE: usize = 2 * MAX_SYM_NAME as usize + mem::size_of::<SYMBOL_INFOW>();
-    let mut data = Aligned8([0u8; SIZE]);
-    let info = unsafe { &mut *data.0.as_mut_ptr().cast::<SYMBOL_INFOW>() };
+    const TRAILER_SIZE: usize = 2 * MAX_SYM_NAME as usize;
+
+    #[repr(C)]
+    #[derive(zerocopy::IntoBytes)]
+    struct Data {
+        symbol_infow: SYMBOL_INFOW,
+        __max_sym_name: [u8; TRAILER_SIZE],
+    }
+
+    let mut data = Aligned8(Data {
+        symbol_infow: zerocopy::transmute!([0u8; size_of::<SYMBOL_INFOW>()]),
+        __max_sym_name: [0u8; TRAILER_SIZE],
+    });
+    let info = &mut data.0.symbol_infow;
     info.MaxNameLen = MAX_SYM_NAME as u32;
     // the struct size in C.  the value is different to
     // `size_of::<SYMBOL_INFOW>() - MAX_SYM_NAME + 1` (== 81)
diff --git a/src/symbolize/gimli/libs_illumos.rs b/src/symbolize/gimli/libs_illumos.rs
@@ -4,7 +4,6 @@ use super::{Library, LibrarySegment};
 use alloc::borrow::ToOwned;
 use alloc::vec::Vec;
 use core::ffi::CStr;
-use core::mem;
 use object::NativeEndian;
 
 #[cfg(target_pointer_width = "64")]
@@ -38,8 +37,8 @@ pub(super) fn native_libraries() -> Vec<Library> {
     let mut libs = Vec::new();
 
     // Request the current link map from the runtime linker:
+    let mut map: *const LinkMap = core::ptr::null();
     let map = unsafe {
-        let mut map: *const LinkMap = mem::zeroed();
         if dlinfo(
             RTLD_SELF,
             RTLD_DI_LINKMAP,
diff --git a/src/windows_sys.rs b/src/windows_sys.rs
@@ -7,6 +7,9 @@
     dead_code,
     clippy::all
 )]
+
+use zerocopy::{FromBytes, Immutable, IntoBytes};
+
 windows_targets::link!("dbghelp.dll" "system" fn EnumerateLoadedModulesW64(hprocess : HANDLE, enumloadedmodulescallback : PENUMLOADED_MODULES_CALLBACKW64, usercontext : *const core::ffi::c_void) -> BOOL);
 windows_targets::link!("dbghelp.dll" "system" fn StackWalk64(machinetype : u32, hprocess : HANDLE, hthread : HANDLE, stackframe : *mut STACKFRAME64, contextrecord : *mut core::ffi::c_void, readmemoryroutine : PREAD_PROCESS_MEMORY_ROUTINE64, functiontableaccessroutine : PFUNCTION_TABLE_ACCESS_ROUTINE64, getmodulebaseroutine : PGET_MODULE_BASE_ROUTINE64, translateaddress : PTRANSLATE_ADDRESS_ROUTINE64) -> BOOL);
 windows_targets::link!("dbghelp.dll" "system" fn StackWalkEx(machinetype : u32, hprocess : HANDLE, hthread : HANDLE, stackframe : *mut STACKFRAME_EX, contextrecord : *mut core::ffi::c_void, readmemoryroutine : PREAD_PROCESS_MEMORY_ROUTINE64, functiontableaccessroutine : PFUNCTION_TABLE_ACCESS_ROUTINE64, getmodulebaseroutine : PGET_MODULE_BASE_ROUTINE64, translateaddress : PTRANSLATE_ADDRESS_ROUTINE64, flags : u32) -> BOOL);
@@ -58,7 +61,7 @@ pub struct ADDRESS64 {
 }
 pub type ADDRESS_MODE = i32;
 #[repr(C)]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, Immutable)]
 pub union ARM64_NT_NEON128 {
     pub Anonymous: ARM64_NT_NEON128_0,
     pub D: [f64; 2],
@@ -67,7 +70,7 @@ pub union ARM64_NT_NEON128 {
     pub B: [u8; 16],
 }
 #[repr(C)]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, Immutable)]
 pub struct ARM64_NT_NEON128_0 {
     pub Low: u64,
     pub High: i64,
@@ -76,7 +79,7 @@ pub const AddrModeFlat: ADDRESS_MODE = 3i32;
 pub type BOOL = i32;
 #[repr(C)]
 #[cfg(target_arch = "aarch64")]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes)]
 pub struct CONTEXT {
     pub ContextFlags: CONTEXT_FLAGS,
     pub Cpsr: u32,
@@ -93,14 +96,14 @@ pub struct CONTEXT {
 }
 #[repr(C)]
 #[cfg(target_arch = "aarch64")]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, Immutable)]
 pub union CONTEXT_0 {
     pub Anonymous: CONTEXT_0_0,
     pub X: [u64; 31],
 }
 #[repr(C)]
 #[cfg(target_arch = "aarch64")]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, Immutable)]
 pub struct CONTEXT_0_0 {
     pub X0: u64,
     pub X1: u64,
@@ -136,7 +139,7 @@ pub struct CONTEXT_0_0 {
 }
 #[repr(C)]
 #[cfg(any(target_arch = "arm64ec", target_arch = "x86_64"))]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes)]
 pub struct CONTEXT {
     pub P1Home: u64,
     pub P2Home: u64,
@@ -187,14 +190,14 @@ pub struct CONTEXT {
 }
 #[repr(C)]
 #[cfg(any(target_arch = "arm64ec", target_arch = "x86_64"))]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, Immutable)]
 pub union CONTEXT_0 {
     pub FltSave: XSAVE_FORMAT,
     pub Anonymous: CONTEXT_0_0,
 }
 #[repr(C)]
 #[cfg(any(target_arch = "arm64ec", target_arch = "x86_64"))]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, Immutable)]
 pub struct CONTEXT_0_0 {
     pub Header: [M128A; 2],
     pub Legacy: [M128A; 8],
@@ -217,7 +220,7 @@ pub struct CONTEXT_0_0 {
 }
 #[repr(C)]
 #[cfg(target_arch = "x86")]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes)]
 pub struct CONTEXT {
     pub ContextFlags: CONTEXT_FLAGS,
     pub Dr0: u32,
@@ -292,7 +295,7 @@ pub struct FLOATING_SAVE_AREA {
 }
 #[repr(C)]
 #[cfg(target_arch = "x86")]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes)]
 pub struct FLOATING_SAVE_AREA {
     pub ControlWord: u32,
     pub StatusWord: u32,
@@ -466,7 +469,7 @@ pub struct KNONVOLATILE_CONTEXT_POINTERS {
     pub Dummy: u32,
 }
 #[repr(C)]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, Immutable)]
 pub struct M128A {
     pub Low: u64,
     pub High: i64,
@@ -563,7 +566,7 @@ pub struct STACKFRAME_EX {
     pub InlineFrameContext: u32,
 }
 #[repr(C)]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, IntoBytes)]
 pub struct SYMBOL_INFOW {
     pub SizeOfStruct: u32,
     pub TypeIndex: u32,
@@ -572,6 +575,7 @@ pub struct SYMBOL_INFOW {
     pub Size: u32,
     pub ModBase: u64,
     pub Flags: SYMBOL_INFO_FLAGS,
+    __padding0: [u8; 4],
     pub Value: u64,
     pub Address: u64,
     pub Register: u32,
@@ -580,6 +584,7 @@ pub struct SYMBOL_INFOW {
     pub NameLen: u32,
     pub MaxNameLen: u32,
     pub Name: [u16; 1],
+    __padding1: [u8; 2],
 }
 pub type SYMBOL_INFO_FLAGS = u32;
 pub const SYMOPT_DEFERRED_LOADS: u32 = 4u32;
@@ -623,7 +628,7 @@ pub type WAIT_EVENT = u32;
     target_arch = "arm64ec",
     target_arch = "x86_64"
 ))]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, Immutable)]
 pub struct XSAVE_FORMAT {
     pub ControlWord: u16,
     pub StatusWord: u16,
@@ -644,7 +649,7 @@ pub struct XSAVE_FORMAT {
 }
 #[repr(C)]
 #[cfg(target_arch = "x86")]
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, FromBytes, Immutable)]
 pub struct XSAVE_FORMAT {
     pub ControlWord: u16,
     pub StatusWord: u16,
