Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsoundness in maybe_add_value #82

Open
lwz23 opened this issue Mar 4, 2025 · 1 comment
Open

Unsoundness in maybe_add_value #82

lwz23 opened this issue Mar 4, 2025 · 1 comment

Comments

@lwz23
Copy link

lwz23 commented Mar 4, 2025

Hello, thank you for your contribution in this project, I an testing our static analysis tool in github's Rust project and I notice the following code:

fn maybe_add_value(
    &mut self,
    parser: &Parser<Chars>,
    code: char,
    value: &[u8],
) -> Result<(), Error> {
    match self.extract_key(parser.stack().top()) {
        ObjectKeyTypes::Id => {
            if code != 's' && self.kb.kp_segments_len() == 1 {
                return Err(
                    Error::Shred(
                        "Expected string for `_id` field, got another type".to_string(),
                    ),
                );
            }
            self.doc_id = Some(unsafe { str::from_utf8_unchecked(value) }.to_string());
            self.kb.pop_object_key();
            self.kb.push_object_key("_id");
            *self.object_keys_indexed.last_mut().unwrap() = true;
            self.add_value(code, value)?;
        }
        ObjectKeyTypes::Key(key) => {
            if key == "type" {
                let is_valid_type = GEOJSON_TYPES
                    .iter()
                    .position(|&tt| tt == unsafe { str::from_utf8_unchecked(value) });
                if is_valid_type.is_some() {
                    self.maybe_geometry += 1;
                }
            }
            self.kb.pop_object_key();
            self.kb.push_object_key(&key);
            *self.object_keys_indexed.last_mut().unwrap() = true;
            self.add_value(code, value)?;
        }
        ObjectKeyTypes::NoKey => {
            self.add_value(code, value)?;
            self.kb.inc_top_array_index();
        }
    }
    Ok(())
}

The unsoundness occurs because:

When processing a JSON with a "type" field containing a number (not a string), the shred function passes floating-point bytes to maybe_add_value with code 'f'.
In maybe_add_value, when it encounters the key "type", it unconditionally uses unsafe { str::from_utf8_unchecked(value) } on those bytes.
Since the bytes come from f.to_le_bytes() for a floating-point number, they aren't valid UTF-8, causing undefined behavior when interpreted as a string.
There are no checks or validations to ensure the bytes form valid UTF-8 before the unsafe operation.

This creates a direct path from user input to a memory safety violation through the add function.

A valid path to call this fn: pub fn add -> pub fn shred -> fn maybe_add_value

POC

fn main() {
    let mut db = Database::new(); // Assuming appropriate constructor
    let mut batch = Batch::new();
    
    // JSON with "type" field containing a number instead of a string
    let json = r#"{"type": 123.456}"#;
    
    // Call the public function leading to undefined behavior
    let result = db.add(json, &mut batch);
    println!("{:?}", result);
}
@vmx
Copy link
Member

vmx commented Mar 4, 2025

Thanks for the detailed bug report. I'll have a look when I find the time (probably not soon).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vmx @lwz23