Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ouroboros Soundess Issue #1707

Merged
merged 1 commit into from
Jun 12, 2023
Merged

Ouroboros Soundess Issue #1707

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions crates/ouroboros/RUSTSEC-0000-0000.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "ouroboros"
date = "2023-06-11"
url = "https://github.com/joshua-maros/ouroboros/issues/88"
informational = "unsound"

[versions]
patched = []
```

# Ouroboros is Unsound

## Summary

Ouroboros has a soundness problem. A fix was attempted but
unsuccessful, leaving the crate unmaintained. Migrate code to use
[self_cell](https://github.com/Voultapher/self_cell) instead.

## More details:

Currently, Ouroboros works internally by creating a struct where all
uses of 'this are replaced by 'static. However, a recent addition to
Miri checks that references passed to functions are valid during the
entire execution of the function, even when those references are
passed inside a struct. This poses an issue for dropping
self-referencing values, as the reference becomes invalid during the
dropping process. Effectively, since self-referencing structs are
not allowed in vanilla Rust, there is no allowance for dropping data
during a function that has also been given a reference to that data.
There's usually no way to pass a and &a to the same function.

A fix was attempted, where the struct would be turned in to a raw
byte array and only transformed back into the underlying data type
inside each function. This is allowable as a reference can be
created and die over the body of a function, as long as the
reference was created inside the function. However, this is also
not sound if the original struct contains padding. There is no
way to initialize padding bytes to a known value that Miri will
accept, so when it is cast to an array some of the bytes contain
uninitialized values. This is not acceptable (despite the fact
that these bytes are never read) due to the potential for
optimizations that may read from the uninitialized bytes. Besides
which, this fix does not allow for template or constant parameters
as there is no way to check the size of a templated type without
giving specific, concrete values for the template parameters.

The crate at this point is no longer maintained, and previous
users should migrate their code to use
[self_cell](https://github.com/Voultapher/self_cell) instead.