wasefire icon indicating copy to clipboard operation
wasefire copied to clipboard
verified publisher icon google

Enable unreachable-pub for the interpreter

Open charlesxsh opened this issue 9 months ago • 1 comments

crates/interpreter/src/toctou.rs:111

pub fn get(xs: &[u8], i: usize) -> u8 {
    #[cfg(not(feature = "toctou"))]
    return unsafe { *xs.get_unchecked(i) };
    #[cfg(feature = "toctou")]
    xs[i]
}

pub fn split_at(xs: &[u8], mid: usize) -> (&[u8], &[u8]) {
    #[cfg(not(feature = "toctou"))]
    return unsafe { xs.split_at_unchecked(mid) };
    #[cfg(feature = "toctou")]
    xs.split_at(mid)
}

Functions get and split_atare public and safe, they accept parameters and used in unsafe functions without sufficient checks (when certain feature flag is set up), which might cause memory risks. In Rust, we should not face any security risks when merely using safe function.

charlesxsh avatar May 09 '25 01:05 charlesxsh

Thanks for the issue!

Functions get and split_atare public and safe

Those functions are not really public. The crate doesn't use the unreachable-pub lint yet (it's a TODO). So even though, these functions use pub, they are semantically pub(crate) because they are not re-exposed by src/lib.rs. If you're open to contribute, it would be a good addition to enable this lint and fix all cases. To start, it suffices to remove interpreter from this line:

https://github.com/google/wasefire/blob/e61dec73498a946e76c5eb2cd3d1cbeea40d19b6/scripts/sync.sh#L47

And rerun ./scripts/sync.sh, then run ./test.sh in the crates/interpreter directory and fix all reported cases.

ia0 avatar May 09 '25 06:05 ia0