-2

From: https://www.qualys.com/2020/02/24/cve-2020-8794/lpe-rce-opensmtpd-default-install.txt

LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)

AFAIK I can read from this longer post, that it is based on an "out-of-bounds read".

The Big Question: If this code was written in Rust and not in C, would Rust prevent the "out-of-bounds read"?

Thanks.

BenB1992
  • 1
  • for first tried, maybe Rust would prevented an "out-of-bounds read": https://ancat.github.io/rust/2017/01/21/rust-out-of-bounds.html but I am not a programmer to be 100% sure. – BenB1992 Mar 02 '20 at 09:55

1 Answers1

3

Most likely Rust would have prevented this.

This

line = line + 4;

is not something we would do in Rust. We rarely use raw pointers directly, preferring more convenient and safer 0-cost wrappers such as slices. In fact raw-pointer arithmetic is so rare, we don't even have operators for it (only methods). Slices are guaranteed to point to valid memory, and are aware of their size, so assuming the developers would have used a &[u8] for line, this would likely become in Rust:

line = &line[4..];

but the indexing operator does bound checks by default, panicking if the indices are out of bounds. This would prevent the invalid read that follows in the rest of the C code.

Of course this is assuming the developers would have only used safe Rust. If they had deemed this branch important enough to deserve some extra optimizations using which could require unsafe (eg. calling get_unchecked after they had noticed (or assumed!?) that the compiler could not optimize a bound check), the same kinds of problems would exist in Rust as in C.

Rust is only safe by default.

mcarton
  • 27,633
  • 5
  • 85
  • 95
  • 2
    *0-cost wrappers* There's no such thing. – Andrew Henle Mar 02 '20 at 10:08
  • 4
    @AndrewHenle In a world with optimizing compilers of course there are! – mcarton Mar 02 '20 at 10:14
  • @mcarton and yet in the same world you felt the need to add the caveat about using unsafe code for optimization - doesn't that contradict with '0-cost wrappers'? – th33lf Mar 02 '20 at 10:42
  • 1
    I don't see a contradiction here. The wrappers are 0-cost, but there is no one wrapper to solve all problems. `unsafe` in Rust is a tool to build such safe wrappers (Eg. a string is nothing but a wrapper for a vector of bytes, but is more convenient to use for string operations. Internally `String` uses some `unsafe` code, but I don't need to care about that as a user.) and 99% of developers should never need to use it because the available types should fit their needs. – mcarton Mar 02 '20 at 11:09