Unsound problem in JitDumpFile::dump_code_load_record #8905
Description
Hi, we have found an unsound problem caused by the unsafe call std::slice::from_raw_parts in
wasmtime/crates/jit-debug/src/perf_jitdump.rs
Line 252 in 842fa76
from_raw_parts converts the pointer addr and the len into a slice without validation and that memory block would be dumped.Thus, the 'safe' function
dump_code_load_record is actually 'unsafe' since it requires the caller to guarantee that the addr is valid and len must not overflow.
POC
Here follows a simple POC written in safe Rust code.
use wasmtime_jit_debug::perf_jitdump::JitDumpFile;
fn main() {
let mut jit_file = JitDumpFile::new("jitdump", 1).unwrap();
let str1 = "hi";
let _r = jit_file.dump_code_load_record("name", str1.as_ptr() as *const u8, 1024, 2, 3, 4).unwrap();
}Suggestion
There are two possible action choices could be taken:
- Mark the function
dump_code_load_recordas unsafe and write Safety requirement. - (recommended) Merge parameter
addrandleninto a single parametercode_buffer: &[u8], so the compiler would guarantee the buffer is valid.