Restrict MaybeUninit trait impls to fix soundness (#309)

Previously, we implemented `FromZeroes` and `FromBytes` for `MaybeUninit<T>` with no bound on `T`. This resulted in a soundness hole in which `T` - and thus `MaybeUninit<T>` - could contain an `UnsafeCell`, which is a violation of the contracts of `FromZeroes` and `FromBytes`. This is a breaking change, but it's very unlikely to be one that code is currently relying on. In this commit, we publish 0.6.4, and we will yank all preceding 0.6.x versions as soon as 0.6.4 is published. This is a backport of #308
google · Sep 2, 2023 · c33bc31 · c33bc31
1 parent 9bc48cc
commit c33bc31
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 5 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -11,7 +11,7 @@
 [package]
 edition = "2021"
 name = "zerocopy"
-version = "0.6.3"
+version = "0.6.4"
 authors = ["Joshua Liebow-Feeser <joshlf@google.com>"]
 description = "Utilities for zero-copy parsing and serialization"
 license = "BSD-2-Clause"
@@ -38,7 +38,7 @@ simd-nightly = ["simd"]
 __internal_use_only_features_that_work_on_stable = ["alloc", "simd"]
 
 [dependencies]
-zerocopy-derive = { version = "=0.6.3", path = "zerocopy-derive" }
+zerocopy-derive = { version = "=0.6.4", path = "zerocopy-derive" }
 
 [dependencies.byteorder]
 version = "1.3"

diff --git a/src/lib.rs b/src/lib.rs
@@ -869,11 +869,21 @@ safety_comment! {
     //
     /// SAFETY:
     /// - `FromBytes`: `MaybeUninit<T>` has no restrictions on its contents.
+    ///   Unfortunately, in addition to bit validity, `FromZeroes` and
+    ///   `FromBytes` also require that implementers contain no `UnsafeCell`s.
+    ///   Thus, we require `T: FromZeroes` and `T: FromBytes` in order to ensure
+    ///   that `T` - and thus `MaybeUninit<T>` - contains to `UnsafeCell`s.
+    ///   Thus, requiring that `T` implement each of these traits is sufficient
     /// - `Unaligned`: `MaybeUninit<T>` is guaranteed by its documentation [1]
     ///   to have the same alignment as `T`.
     ///
     /// [1] https://doc.rust-lang.org/nightly/core/mem/union.MaybeUninit.html#layout-1
-    unsafe_impl!(T => FromBytes for MaybeUninit<T>);
+    ///
+    /// TODO(https://github.com/google/zerocopy/issues/251): If we split
+    /// `FromBytes` and `RefFromBytes`, or if we introduce a separate
+    /// `NoCell`/`Freeze` trait, we can relax the trait bounds for `FromZeroes`
+    /// and `FromBytes`.
+    unsafe_impl!(T: FromBytes => FromBytes for MaybeUninit<T>);
     unsafe_impl!(T: Unaligned => Unaligned for MaybeUninit<T>);
     assert_unaligned!(MaybeUninit<()>, MaybeUninit<u8>);
 }
@@ -4007,7 +4017,7 @@ mod tests {
         assert_impls!(ManuallyDrop<[NotZerocopy]>: !FromBytes, !AsBytes, !Unaligned);
 
         assert_impls!(MaybeUninit<u8>: FromBytes, Unaligned, !AsBytes);
-        assert_impls!(MaybeUninit<NotZerocopy>: FromBytes, !AsBytes, !Unaligned);
+        assert_impls!(MaybeUninit<NotZerocopy>: !FromBytes, !AsBytes, !Unaligned);
 
         assert_impls!(Wrapping<u8>: FromBytes, AsBytes, Unaligned);
         assert_impls!(Wrapping<NotZerocopy>: !FromBytes, !AsBytes, !Unaligned);

diff --git a/zerocopy-derive/Cargo.toml b/zerocopy-derive/Cargo.toml
@@ -5,7 +5,7 @@
 [package]
 edition = "2021"
 name = "zerocopy-derive"
-version = "0.6.3"
+version = "0.6.4"
 authors = ["Joshua Liebow-Feeser <joshlf@google.com>"]
 description = "Custom derive for traits from the zerocopy crate"
 license = "BSD-2-Clause"