Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cortex_m::singleton attribute forwarding is unsound in some cases #538

Open
jamesmunns opened this issue Jun 19, 2024 · 5 comments
Open
Labels
I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness

Comments

@jamesmunns
Copy link
Member

If you use link_section to put a singleton in an uninit section, the "has been taken" boolean is also in uninit memory at startup. We read this value which is uninitialized.

$(#[$meta])*
static mut $name: (::core::mem::MaybeUninit<$ty>, bool) =
(::core::mem::MaybeUninit::uninit(), false);

We could potentially put the bool in a separate static that is in the "normal" .bss section, but we'd have to document this.

CC @jordens and #522

@jordens
Copy link
Contributor

jordens commented Jun 19, 2024

And it's especially bad for a bool being the prime example of not just uninit but even init with the wrong value causing UB.

@jamesmunns
Copy link
Member Author

(fwiw, "link_section" is always an easy way to cause unsoundness in safe code, as with basically any direction you give to the linker, but it FEELS like this is an unexpected outcome rather than an intended one, which we should probably fix and document, or at least document if we say "you can totally use this with link_section".)

@newAM newAM added the I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness label Jun 30, 2024
@jannic
Copy link
Member

jannic commented Sep 16, 2024

Related: It looks like link_section is going to become officially unsafe. rust-lang/rust#129566

Of course, as using link_section is very useful and sometimes necessary in embedded contexts, we still should provide documentation on how to use it correctly.

@usbalbin
Copy link

usbalbin commented Dec 9, 2024

What if the bool was split out to its own static which ignores the link_section things? Then the bool is guaranteed to be valid while the data part is free to be uninit in its wonky linker section

@jordens
Copy link
Contributor

jordens commented Dec 9, 2024

That was also my plan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
Projects
None yet
Development

No branches or pull requests

5 participants