Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use deref target in Pin trait implementations #67039

Merged
merged 4 commits into from
Dec 10, 2019
Merged

Use deref target in Pin trait implementations #67039

merged 4 commits into from
Dec 10, 2019

Conversation

KamilaBorowska
Copy link
Contributor

Using deref target instead of pointer itself avoids providing access to &Rc<T> for malicious implementations, which would allow calling Rc::get_mut.

This is a breaking change necessary due to unsoundness, however the impact of it should be minimal.

This only fixes the issue with malicious PartialEq implementations, other Pin soundness issues are still here.

See https://internals.rust-lang.org/t/unsoundness-in-pin/11311/73 for more details.

@rust-highfive
Copy link
Collaborator

r? @joshtriplett

(rust_highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Dec 4, 2019
@jonas-schievink jonas-schievink added I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness T-libs-api Relevant to the library API team, which will review and decide on the PR/issue. labels Dec 4, 2019
@jonas-schievink
Copy link
Contributor

Should we crater this?

@bors try

@bors
Copy link
Contributor

bors commented Dec 4, 2019

⌛ Trying commit e537bf8 with merge 70e8b7b...

bors added a commit that referenced this pull request Dec 4, 2019
@bors
Auto merge of #67039 - xfix:manually-implement-pin-traits, r=<try>
70e8b7b 
Use deref target in Pin trait implementations

Using deref target instead of pointer itself avoids providing access to `&Rc<T>` for malicious implementations, which would allow calling `Rc::get_mut`.

This is a breaking change necessary due to unsoundness, however the impact of it should be minimal.

This only fixes the issue with malicious `PartialEq` implementations, other `Pin` soundness issues are still here.

See <https://internals.rust-lang.org/t/unsoundness-in-pin/11311/73> for more details.
@bors
Copy link
Contributor

bors commented Dec 5, 2019

☀️ Try build successful - checks-azure
Build commit: 70e8b7b (70e8b7bf8f1daf01a5793147964b5d1eb7f32585)

@est31 est31 mentioned this pull request Dec 5, 2019
Closed
@mark-i-m
Copy link
Member

mark-i-m commented Dec 5, 2019

cc @RalfJung @comex @withoutboats

@comex
Copy link
Contributor

comex commented Dec 5, 2019

Seems good to me. I’d be interested to see crater results.

RalfJung
RalfJung reviewed Dec 5, 2019
View reviewed changes
src/libcore/pin.rs Outdated Show resolved Hide resolved
RalfJung
RalfJung reviewed Dec 5, 2019
View reviewed changes
src/libcore/pin.rs Outdated Show resolved Hide resolved
Centril
Centril reviewed Dec 5, 2019
View reviewed changes
src/libcore/pin.rs Outdated Show resolved Hide resolved
RalfJung
RalfJung reviewed Dec 5, 2019
View reviewed changes
src/libcore/pin.rs Outdated Show resolved Hide resolved
RalfJung
RalfJung reviewed Dec 5, 2019
View reviewed changes
src/libcore/pin.rs Outdated Show resolved Hide resolved
@rust-highfive

This comment has been minimized.

Sign in to view
@Centril
Copy link
Contributor

Centril commented Dec 5, 2019

It would be good to add UI tests to this PR so that we have checks ensuring that the problematic pattern this is meant to catch cannot happen in the future.

@KamilaBorowska KamilaBorowska force-pushed the manually-implement-pin-traits branch 2 times, most recently from 8bee4ff to efaba2d Compare December 5, 2019 12:32
@KamilaBorowska
Copy link
Contributor Author

@Centril Added UI test.

@KamilaBorowska
Use deref target in Pin trait implementations
1cf0db1 
Using deref target instead of pointer itself avoids providing access to
`&Rc<T>` for malicious implementations, which would allow calling
`Rc::get_mut`.

This is a breaking change necessary due to unsoundness, however
the impact of it should be minimal.

This only fixes the issue with malicious `PartialEq` implementations,
other `Pin` soundness issues are still here.

See <https://internals.rust-lang.org/t/unsoundness-in-pin/11311/73>
for more details.
@KamilaBorowska
Document why Pin implementations aren't derived
dfcf764
@KamilaBorowska
Add UI test for Pin PartialEq unsoundness
6996ae1
@KamilaBorowska
Copy link
Contributor Author

Also, made amount of commits a bit smaller by merging some commits together.

@withoutboats
Copy link
Contributor

big +1. these implementations were just unsound and this is the correct way to implement these traits for these types.

@nikomatsakis nikomatsakis self-assigned this Dec 7, 2019
RalfJung
RalfJung approved these changes Dec 8, 2019
View reviewed changes
Copy link
Member

@RalfJung RalfJung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@nikomatsakis
Copy link
Contributor

@bors r+

I'm going to go ahead and r+ this without a crater run. It seems quite unlikely that we'll see any regressions here, and this is a soundness fix.

@bors
Copy link
Contributor

bors commented Dec 9, 2019

📌 Commit 61d9c00 has been approved by nikomatsakis

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Dec 9, 2019
@bors
Copy link
Contributor

bors commented Dec 10, 2019

⌛ Testing commit 61d9c00 with merge 883b6aa...

bors added a commit that referenced this pull request Dec 10, 2019
@bors
Auto merge of #67039 - xfix:manually-implement-pin-traits, r=nikomats…
883b6aa 
…akis

Use deref target in Pin trait implementations

Using deref target instead of pointer itself avoids providing access to `&Rc<T>` for malicious implementations, which would allow calling `Rc::get_mut`.

This is a breaking change necessary due to unsoundness, however the impact of it should be minimal.

This only fixes the issue with malicious `PartialEq` implementations, other `Pin` soundness issues are still here.

See <https://internals.rust-lang.org/t/unsoundness-in-pin/11311/73> for more details.
@bors
Copy link
Contributor

bors commented Dec 10, 2019

☀️ Test successful - checks-azure
Approved by: nikomatsakis
Pushing 883b6aa to master...

@bors bors added the merged-by-bors This PR was explicitly merged by bors. label Dec 10, 2019
@bors bors merged commit 61d9c00 into rust-lang:master Dec 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@withoutboats withoutboats withoutboats left review comments

@nikomatsakis nikomatsakis nikomatsakis approved these changes

@RalfJung RalfJung RalfJung approved these changes

@Centril Centril Awaiting requested review from Centril

Assignees

@nikomatsakis nikomatsakis

@joshtriplett joshtriplett

Labels
I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness merged-by-bors This PR was explicitly merged by bors. S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.