Skip to content

SGX's std::env::args function is not thread-safe #64304

New issue
New issue
Closed
#69068
Closed
SGX's std::env::args function is not thread-safe#64304
#69068
Assignees
rustbot
Labels
C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libs-apiRelevant to the library API team, which will review and decide on the PR/issue.
@sugar700

Description

@sugar700
sugar700
opened on Sep 9, 2019

The args method is defined as follows.

pub fn args() -> Args { let args = unsafe { (ARGS.load(Ordering::Relaxed) as *const ArgsStore).as_ref() }; if let Some(args) = args { Args(args.iter()) } else { Args([].iter()) } }

Clean-up function is defined as follows;

pub unsafe fn cleanup() { let args = ARGS.swap(0, Ordering::Relaxed); if args != 0 { drop(Box::<ArgsStore>::from_raw(args as _)) } }

It is possible for another thread to use std::env::args() while the main thread quits, and access already freed memory - assuming the following sequence of events.

// Secondary thread let args = unsafe { (ARGS.load(Ordering::Relaxed) as *const ArgsStore).as_ref() }; // Main thread { let args = ARGS.swap(0, Ordering::Relaxed); if args != 0 { drop(Box::<ArgsStore>::from_raw(args as _)) } } // Secondary thread if let Some(args) = args { Args(args.iter()) }

This issue has been assigned to @Goirad via this comment.

Metadata

Metadata

Assignees

Labels

C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libs-apiRelevant to the library API team, which will review and decide on the PR/issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions