Skip to content

Conversation

@ChrisDenton
Copy link
Member

@ChrisDenton ChrisDenton commented Jun 27, 2025

Resolves #143078

Note that we can't make any guarantees if third parties intercept OS functions and don't implement them according to the documentation. However, I think it's practical to attempt mitigations when issues are encountered in the wild and the mitigation itself isn't too invasive.

@rustbot
Copy link
Collaborator

rustbot commented Jun 27, 2025

r? @tgross35

rustbot has assigned @tgross35.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Jun 27, 2025
@RalfJung
Copy link
Member

and the mitigation itself isn't too invasive.

Won't this cause extra copies and thus potentially hurt performance?

@ChrisDenton
Copy link
Member Author

Potentially, I guess. Though I'd expect filesystem APIs are almost certainly going to be much slower than a memcpy.

As I mentioned in a comment, the fastest alternative would be to just ensure the empty string is null terminated. The assumption being that, however they're impersonating system APIs, they're at least being internally consistent.

@workingjubilee
Copy link
Member

Shipping a workaround upstream for unsound software means that we are expecting all Rust programmers, not just Firefox, to pay for carrying the weight of unsound ecosystem software that they are not expected to interoperate with. Even if it's just a few bytes of code size we wouldn't need to pay otherwise, I don't think it makes sense.

@workingjubilee
Copy link
Member

You cited us as shipping workarounds before, but the ones I remember were for Microsoft software. Where, yes, we may have done whatever the owners of the platform expected us to do, no matter how inane it may have seemed, because it doesn't matter if whatever is objectively incorrect if the local monarch will hang you(r process) for defiance.

@ChrisDenton
Copy link
Member Author

The one I'm thinking of was for alignment issues with a third party sandbox. This issue was fixed but we do still have the workaround under the assumption that other software may not do alignment properly. I guess it could be removed now but it also might break something.

@workingjubilee
Copy link
Member

Ah.

Yes, open source software that we can see whether it is patched or not still seems like a much different story.

@the8472
Copy link
Member

the8472 commented Jun 27, 2025

Can we set a deadline and make it public?

@rustbot rustbot added the O-windows Operating system: Windows label Jun 27, 2025
@ChrisDenton
Copy link
Member Author

ChrisDenton commented Jun 27, 2025

Ok, I've changed it so that the impact will be minimal. The updated PR just tries to ensure null termination for our own strings and leave it up to the OS to use null termination for strings it owns (where "the OS" in this case includes people emulating OS APIs).

@workingjubilee
Copy link
Member

This seems more tolerable. I have sometimes wondered if maybe core::ffi should export a static BIG_ZERO: u128 = 0;, as pointers to it could reuse it as a sentinel.

/// It is preferable to use `from_slice_with_nul` for our own strings as a
/// mitigation for #143078.
#[derive(Copy, Clone)]
pub struct UnicodeStrRef<'a> {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you mention in the docs something about this optionally being nul-terminated but that not being a guarantee? To help explain why the functions aren't unsafe.

Comment on lines 93 to 95
let mut path_str = c::UNICODE_STRING::from_ref(path);
let path_str = UnicodeStrRef::from_slice(path);
let mut object = c::OBJECT_ATTRIBUTES {
ObjectName: &mut path_str,
ObjectName: path_str.as_ptr(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I am understanding things correctly, this change only ensures nul-termination if path is empty but otherwise passes path unchanged? What is the benefit here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the non-empty case the path is always given to us by the OS via directory iteration. So that falls under assuming OS returned strings are OK to use.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't it use from_slice_with_nul then? Or something like from_slice_with_nul_if_nonempty that still redirects the empty slice nul pointer but makes it clear that \0 is otherwise expected.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see what you mean. The slice itself doesn't contain the nul (if any). There may or may not be a nul one beyond the end of the slice but we don't know. The point is we just assume there is if some third party is hooking OS functions and requires strings be null-terminated but otherwise we assume nothing outside of the slice.

We can't really do better than that without being more invasive. The APIs themselves say nothing about null termination.

@tgross35
Copy link
Contributor

I'm thinking maybe we should leave #143078 open once this merges, or make a new issue for eventually stripping this out. The software that will be relying on this seems objectively incorrect, and we have no way of knowing what calls actually need this; or really noticing if the UnicodeStrRef API here winds up used incorrectly (since nul termination isn't an invariant).

I'm on board with @the8472's suggestion that we should document in that issue that we will be reverting this PR in ~6 months or so, so we don't wind up carrying a workaround forever.

@ChrisDenton
Copy link
Member Author

Based on the feedback I decided to simplify this down to a single unicode_str! macro so people don't have to think about what to use where. When creating a UNICODE_STRING just use the macro. It will null-terminate if given a literal &str. If given a &[u16] it will simply use it as-is, which is the best we can do without allocating.

I think this will make it easy for people to do the right thing by default.

Copy link
Contributor

@tgross35 tgross35 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r=me with try passing

@bors2 try jobs=x86_64*msvc*

@rust-bors
Copy link

rust-bors bot commented Jun 30, 2025

Unknown value for argument "jobs".

@tgross35
Copy link
Contributor

@bors2 try jobs=x86_64-msvc*

@rust-bors
Copy link

rust-bors bot commented Jun 30, 2025

⌛ Trying commit 953cf27 with merge 7d56f1e

To cancel the try build, run the command @bors2 try cancel.

rust-bors bot added a commit that referenced this pull request Jun 30, 2025
Workaround for memory unsafety in third party DLLs

Resolves #143078

Note that we can't make any guarantees if third parties intercept OS functions and don't implement them according to the documentation. However, I think it's practical to attempt mitigations when issues are encountered in the wild and the mitigation itself isn't too invasive.

try-job: x86_64-msvc*
@rust-bors
Copy link

rust-bors bot commented Jun 30, 2025

☀️ Try build successful (CI)
Build commit: 7d56f1e (7d56f1e828b126e19dca3b12b228deae87323087, parent: f19142044f270760ce0ebc03b2c3a44217d8703d)

@tgross35
Copy link
Contributor

@bors r+

@bors
Copy link
Collaborator

bors commented Jun 30, 2025

📌 Commit 953cf27 has been approved by tgross35

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Jun 30, 2025
bors added a commit that referenced this pull request Jun 30, 2025
Rollup of 14 pull requests

Successful merges:

 - #142429 (`tests/ui`: A New Order [13/N])
 - #142514 (Miri: handling of SNaN inputs in `f*::pow` operations)
 - #143066 (Use let chains in the new solver)
 - #143090 (Workaround for memory unsafety in third party DLLs)
 - #143118 (`tests/ui`: A New Order [15/N])
 - #143159 (Do not freshen `ReError`)
 - #143168 (`tests/ui`: A New Order [16/N])
 - #143176 (fix typos and improve clarity in documentation)
 - #143187 (Add my work email to mailmap)
 - #143190 (Use the `new` method for `BasicBlockData` and `Statement`)
 - #143195 (`tests/ui`: A New Order [17/N])
 - #143196 (Port #[link_section] to the new attribute parsing infrastructure)
 - #143199 (Re-disable `tests/run-make/short-ice` on Windows MSVC again)
 - #143219 (Show auto trait and blanket impls for `!`)

r? `@ghost`
`@rustbot` modify labels: rollup
@bors bors merged commit a94f0a4 into rust-lang:master Jun 30, 2025
10 checks passed
@rustbot rustbot added this to the 1.90.0 milestone Jun 30, 2025
rust-timer added a commit that referenced this pull request Jun 30, 2025
Rollup merge of #143090 - ChrisDenton:workaround1, r=tgross35

Workaround for memory unsafety in third party DLLs

Resolves #143078

Note that we can't make any guarantees if third parties intercept OS functions and don't implement them according to the documentation. However, I think it's practical to attempt mitigations when issues are encountered in the wild and the mitigation itself isn't too invasive.
github-actions bot pushed a commit to rust-lang/miri that referenced this pull request Jul 1, 2025
Rollup of 14 pull requests

Successful merges:

 - rust-lang/rust#142429 (`tests/ui`: A New Order [13/N])
 - rust-lang/rust#142514 (Miri: handling of SNaN inputs in `f*::pow` operations)
 - rust-lang/rust#143066 (Use let chains in the new solver)
 - rust-lang/rust#143090 (Workaround for memory unsafety in third party DLLs)
 - rust-lang/rust#143118 (`tests/ui`: A New Order [15/N])
 - rust-lang/rust#143159 (Do not freshen `ReError`)
 - rust-lang/rust#143168 (`tests/ui`: A New Order [16/N])
 - rust-lang/rust#143176 (fix typos and improve clarity in documentation)
 - rust-lang/rust#143187 (Add my work email to mailmap)
 - rust-lang/rust#143190 (Use the `new` method for `BasicBlockData` and `Statement`)
 - rust-lang/rust#143195 (`tests/ui`: A New Order [17/N])
 - rust-lang/rust#143196 (Port #[link_section] to the new attribute parsing infrastructure)
 - rust-lang/rust#143199 (Re-disable `tests/run-make/short-ice` on Windows MSVC again)
 - rust-lang/rust#143219 (Show auto trait and blanket impls for `!`)

r? `@ghost`
`@rustbot` modify labels: rollup
Kobzol pushed a commit to Kobzol/stdarch that referenced this pull request Jul 2, 2025
Rollup of 14 pull requests

Successful merges:

 - rust-lang/rust#142429 (`tests/ui`: A New Order [13/N])
 - rust-lang/rust#142514 (Miri: handling of SNaN inputs in `f*::pow` operations)
 - rust-lang/rust#143066 (Use let chains in the new solver)
 - rust-lang/rust#143090 (Workaround for memory unsafety in third party DLLs)
 - rust-lang/rust#143118 (`tests/ui`: A New Order [15/N])
 - rust-lang/rust#143159 (Do not freshen `ReError`)
 - rust-lang/rust#143168 (`tests/ui`: A New Order [16/N])
 - rust-lang/rust#143176 (fix typos and improve clarity in documentation)
 - rust-lang/rust#143187 (Add my work email to mailmap)
 - rust-lang/rust#143190 (Use the `new` method for `BasicBlockData` and `Statement`)
 - rust-lang/rust#143195 (`tests/ui`: A New Order [17/N])
 - rust-lang/rust#143196 (Port #[link_section] to the new attribute parsing infrastructure)
 - rust-lang/rust#143199 (Re-disable `tests/run-make/short-ice` on Windows MSVC again)
 - rust-lang/rust#143219 (Show auto trait and blanket impls for `!`)

r? `@ghost`
`@rustbot` modify labels: rollup
github-actions bot pushed a commit to rust-lang/rustc-dev-guide that referenced this pull request Jul 3, 2025
Rollup of 14 pull requests

Successful merges:

 - rust-lang/rust#142429 (`tests/ui`: A New Order [13/N])
 - rust-lang/rust#142514 (Miri: handling of SNaN inputs in `f*::pow` operations)
 - rust-lang/rust#143066 (Use let chains in the new solver)
 - rust-lang/rust#143090 (Workaround for memory unsafety in third party DLLs)
 - rust-lang/rust#143118 (`tests/ui`: A New Order [15/N])
 - rust-lang/rust#143159 (Do not freshen `ReError`)
 - rust-lang/rust#143168 (`tests/ui`: A New Order [16/N])
 - rust-lang/rust#143176 (fix typos and improve clarity in documentation)
 - rust-lang/rust#143187 (Add my work email to mailmap)
 - rust-lang/rust#143190 (Use the `new` method for `BasicBlockData` and `Statement`)
 - rust-lang/rust#143195 (`tests/ui`: A New Order [17/N])
 - rust-lang/rust#143196 (Port #[link_section] to the new attribute parsing infrastructure)
 - rust-lang/rust#143199 (Re-disable `tests/run-make/short-ice` on Windows MSVC again)
 - rust-lang/rust#143219 (Show auto trait and blanket impls for `!`)

r? `@ghost`
`@rustbot` modify labels: rollup
github-actions bot pushed a commit to model-checking/verify-rust-std that referenced this pull request Jul 4, 2025
Workaround for memory unsafety in third party DLLs

Resolves rust-lang#143078

Note that we can't make any guarantees if third parties intercept OS functions and don't implement them according to the documentation. However, I think it's practical to attempt mitigations when issues are encountered in the wild and the mitigation itself isn't too invasive.
github-actions bot pushed a commit to model-checking/verify-rust-std that referenced this pull request Jul 4, 2025
Rollup of 14 pull requests

Successful merges:

 - rust-lang#142429 (`tests/ui`: A New Order [13/N])
 - rust-lang#142514 (Miri: handling of SNaN inputs in `f*::pow` operations)
 - rust-lang#143066 (Use let chains in the new solver)
 - rust-lang#143090 (Workaround for memory unsafety in third party DLLs)
 - rust-lang#143118 (`tests/ui`: A New Order [15/N])
 - rust-lang#143159 (Do not freshen `ReError`)
 - rust-lang#143168 (`tests/ui`: A New Order [16/N])
 - rust-lang#143176 (fix typos and improve clarity in documentation)
 - rust-lang#143187 (Add my work email to mailmap)
 - rust-lang#143190 (Use the `new` method for `BasicBlockData` and `Statement`)
 - rust-lang#143195 (`tests/ui`: A New Order [17/N])
 - rust-lang#143196 (Port #[link_section] to the new attribute parsing infrastructure)
 - rust-lang#143199 (Re-disable `tests/run-make/short-ice` on Windows MSVC again)
 - rust-lang#143219 (Show auto trait and blanket impls for `!`)

r? `@ghost`
`@rustbot` modify labels: rollup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

O-windows Operating system: Windows S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Third-party hooks to NtOpenFile perform out-of-bounds reads, crashing legitimate Rust programs

7 participants