From: sashiko-bot@kernel.org
To: alistair23@gmail.com
Cc: ojeda@kernel.org, linux-cxl@vger.kernel.org, linux-pci@vger.kernel.org
Subject: Re: [PATCH v2 02/21] rust: create basic untrusted data API
Date: Tue, 23 Jun 2026 05:09:57 +0000 [thread overview]
Message-ID: <20260623050957.B07F91F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260623045406.2589547-3-alistair.francis@wdc.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Invalid pointer cast between `Vec<T, A>` and `Vec<Untrusted<T>, A>` in `Deref` and `DerefMut` implementations leads to undefined behavior, memory corruption, and Use-After-Free.
- [Low] Missing `#[inline]` annotations on small forwarding functions in an abstraction.
- [Low] Incorrect import formatting: `use core::ops::{Deref, DerefMut};` does not follow the vertical import style.
--
commit 5d58092058655501597b482a4a94d2d50da29fc6
Author: Benno Lossin <lossin@kernel.org>
rust: create basic untrusted data API
This commit introduces the `Untrusted<T>` wrapper type to explicitly mark and
validate untrusted external data. It prevents direct usage of untrusted data
in logic decisions while allowing it to be copied back to userspace.
Message-ID: <20250814124424.516191-3-lossin@kernel.org>
diff --git a/rust/kernel/validate.rs b/rust/kernel/validate.rs
new file mode 100644
index 0000000000000..2b28625c25efe
--- /dev/null
+++ b/rust/kernel/validate.rs
[ ... ]
> +use core::ops::{Deref, DerefMut};
[Severity: Low]
This isn't a bug, but the kernel Rust coding guidelines require vertical import
formatting (one import per line). Should this be spread across multiple lines?
> +
> +use crate::{
[ ... ]
> +impl<T: ?Sized> Untrusted<T> {
[ ... ]
> + pub fn new(value: T) -> Self
[Severity: Low]
This isn't a bug, but the kernel Rust coding guidelines require small or
forwarding functions in abstractions to be annotated with `#[inline]`. Should
we add the annotation here?
> + where
> + T: Sized,
> + {
> + Self(value)
> + }
> +}
> +
> +impl<T> Deref for Untrusted<[T]> {
> + type Target = [Untrusted<T>];
> +
> + fn deref(&self) -> &Self::Target {
[Severity: Low]
Similar to `new()`, should this small forwarding function be annotated with
`#[inline]` to match the guidelines?
> + // SAFETY: `Untrusted<T>` transparently wraps `T`.
> + unsafe { cast_slice(&self.0) }
> + }
> +}
> +
> +impl<T> DerefMut for Untrusted<[T]> {
> + fn deref_mut(&mut self) -> &mut Self::Target {
[Severity: Low]
Should this small forwarding function also be annotated with `#[inline]`?
> + // SAFETY: `Untrusted<T>` transparently wraps `T`.
> + unsafe { cast_slice_mut(&mut self.0) }
> + }
> +}
> +
> +impl<T, A: Allocator> Deref for Untrusted<Vec<T, A>> {
> + type Target = Vec<Untrusted<T>, A>;
> +
> + fn deref(&self) -> &Self::Target {
> + let ptr: *const Untrusted<Vec<T, A>> = self;
> + // CAST: `Untrusted<T>` transparently wraps `T`.
> + let ptr: *const Vec<Untrusted<T>, A> = ptr.cast();
> + // SAFETY: `ptr` is derived from the reference `self`.
> + unsafe { &*ptr }
[Severity: High]
Does this pointer cast invoke undefined behavior?
Since `Vec` has `#[repr(Rust)]`, the compiler provides no guarantee that the
field orderings of `Vec<T>` and `Vec<Untrusted<T>>` match. If the layout
differs between these two monomorphizations, could casting the reference result
in memory corruption when accessing the `ptr`, `len`, and `layout` fields?
> + }
> +}
> +
> +impl<T, A: Allocator> DerefMut for Untrusted<Vec<T, A>> {
> + fn deref_mut(&mut self) -> &mut Self::Target {
> + let ptr: *mut Untrusted<Vec<T, A>> = self;
> + // CAST: `Untrusted<T>` transparently wraps `T`.
> + let ptr: *mut Vec<Untrusted<T>, A> = ptr.cast();
> + // SAFETY: `ptr` is derived from the reference `self`.
> + unsafe { &mut *ptr }
[Severity: High]
Similar to `deref()`, does casting a mutable reference between different
instantiations of a `#[repr(Rust)]` type risk memory corruption?
Safe code could call `deref_mut` to obtain `&mut Vec<Untrusted<T>, A>`, extract
ownership via `core::mem::take` (since `Vec` implements `Default`), and then
mutate or drop it. This could process the fields from mismatched offsets and
pass garbage pointers to the allocator.
> + }
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260623045406.2589547-1-alistair.francis@wdc.com?part=2
next prev parent reply other threads:[~2026-06-23 5:09 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 4:53 [PATCH v2 00/21] lib: Rust implementation of SPDM alistair23
2026-06-23 4:53 ` [PATCH v2 01/21] rust: transmute: add `cast_slice[_mut]` functions alistair23
2026-06-23 5:05 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 02/21] rust: create basic untrusted data API alistair23
2026-06-23 5:09 ` sashiko-bot [this message]
2026-06-23 4:53 ` [PATCH v2 03/21] rust: validate: add `Validate` trait alistair23
2026-06-23 5:10 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 04/21] X.509: Make certificate parser public alistair23
2026-06-23 5:03 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 05/21] X.509: Parse Subject Alternative Name in certificates alistair23
2026-06-23 5:07 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 06/21] X.509: Move certificate length retrieval into new helper alistair23
2026-06-23 5:02 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 07/21] rust: add bindings for hash.h alistair23
2026-06-23 7:01 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 08/21] rust: error: impl From<FromBytesWithNulError> for Kernel Error alistair23
2026-06-23 5:01 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 09/21] lib: rspdm: Initial commit of Rust SPDM alistair23
2026-06-23 5:09 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 10/21] PCI/TSM: Rename pf0 to host alistair23
2026-06-23 5:12 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 11/21] PCI/TSM: Support connecting to PCIe CMA devices alistair23
2026-06-23 5:16 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 12/21] PCI/CMA: Add a PCI TSM CMA driver using SPDM alistair23
2026-06-23 5:07 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 13/21] PCI/CMA: Validate Subject Alternative Name in certificates alistair23
2026-06-23 5:07 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 14/21] lib: rspdm: Support SPDM get_version alistair23
2026-06-23 5:10 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 15/21] lib: rspdm: Support SPDM get_capabilities alistair23
2026-06-23 5:09 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 16/21] lib: rspdm: Support SPDM negotiate_algorithms alistair23
2026-06-23 5:17 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 17/21] lib: rspdm: Support SPDM get_digests alistair23
2026-06-23 5:17 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 18/21] lib: rspdm: Support SPDM get_certificate alistair23
2026-06-23 5:20 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 19/21] lib: rspdm: Support SPDM certificate validation alistair23
2026-06-23 5:19 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 20/21] rust: allow extracting the buffer from a CString alistair23
2026-06-23 5:13 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 21/21] lib: rspdm: Support SPDM challenge alistair23
2026-06-23 5:21 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623050957.B07F91F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alistair23@gmail.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox