IoVec::from_mut_slice and vmsplice are unsound

[kangalio]

trafficstars

IoVec::from_mut_slice uses as_ptr() to get a mutable pointer https://github.com/nix-rust/nix/blob/5cd01a1fd7417ee6e16636443965c0a197ff2843/src/sys/uio.rs#L227-L233

This is unsound, because the pointer from as_ptr must never be written to

The caller must also ensure that the memory the pointer (non-transitively) points to is never written to (except inside an UnsafeCell) using this pointer or any pointer derived from it. If you need to mutate the contents of the slice, use as_mut_ptr.

https://doc.rust-lang.org/std/primitive.slice.html#method.as_ptr

The code should use as_mut_ptr() instead of as_ptr()

This problem may be occuring in other parts of the codebase too:

However, I don't know in which of these places the *mut pointer is actually written to later.

---

vmsplice is unsound too. It takes IoVec<&[u8]> (immutable slice): https://github.com/nix-rust/nix/blob/5cd01a1fd7417ee6e16636443965c0a197ff2843/src/fcntl.rs#L630-L645

However, the vmsplice syscall can write to the given memory:

If fd is opened for reading, the vmsplice() system call fills nr_segs ranges of user memory described by iov from a pipe

https://man7.org/linux/man-pages/man2/vmsplice.2.html

Nix' vmsplice function should probably take IoVec<&mut [u8]> instead

[irgstg]

Hi, I guess IoVec is about to be irrelevant. It seems like #1643 refactors IoVec into IoSlice and IoSliceMut, as discussed in #1637.

[kangalio]

Oh wow, it's more type-safe, exists in the standard library, is stable, and that since 1.36. Awesome!

The vmsplice issue is still there; the argument is still immutable