Skip to content

SGX's std::env::args function is not thread-safe #64304

New issue
New issue
Closed
#69068
Closed
SGX's std::env::args function is not thread-safe#64304
#69068
Assignees
rustbot
Labels
C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libs-apiRelevant to the library API team, which will review and decide on the PR/issue.
@KamilaBorowska

Description

@KamilaBorowska
KamilaBorowska
opened on Sep 9, 2019

The args method is defined as follows.

pub fn args() -> Args {
    let args = unsafe { (ARGS.load(Ordering::Relaxed) as *const ArgsStore).as_ref() };
    if let Some(args) = args {
        Args(args.iter())
    } else {
        Args([].iter())
    }
}

Clean-up function is defined as follows;

pub unsafe fn cleanup() {
    let args = ARGS.swap(0, Ordering::Relaxed);
    if args != 0 {
        drop(Box::<ArgsStore>::from_raw(args as _))
    }
}

It is possible for another thread to use std::env::args() while the main thread quits, and access already freed memory - assuming the following sequence of events.

// Secondary thread
let args = unsafe { (ARGS.load(Ordering::Relaxed) as *const ArgsStore).as_ref() };
// Main thread
{
    let args = ARGS.swap(0, Ordering::Relaxed);
    if args != 0 {
        drop(Box::<ArgsStore>::from_raw(args as _))
    }
}
// Secondary thread
if let Some(args) = args {
    Args(args.iter())
}

This issue has been assigned to @Goirad via this comment.

Metadata

Metadata

Assignees

Labels

C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libs-apiRelevant to the library API team, which will review and decide on the PR/issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions