Soundness bug: Undefined Behavior when calling MemoryArena::read #2858
Description
Hi there!
We scanned the most popular libraries on crates.io and found some memory safety bugs in this library.
PoC
use tantivy_stacker::{Addr, MemoryArena};
fn main() {
let arena = MemoryArena::default();
let forged: Addr = Addr::null_pointer().offset(0x0010_0001);
let _x: u64 = arena.read::<u64>(forged);
}Miri Output
error: Undefined Behavior: `assume` called with `false`
--> /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/tantivy-stacker/0.6.0/tantivy-stacker-0.6.0/src/memory_arena.rs:141:18
|
141 | unsafe { self.pages.get_unchecked(page_id) }
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
= note: BACKTRACE:
= note: inside `tantivy_stacker::MemoryArena::get_page` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/tantivy-stacker/0.6.0/tantivy-stacker-0.6.0/src/memory_arena.rs:141:18: 141:51
= note: inside `tantivy_stacker::MemoryArena::slice` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/tantivy-stacker/0.6.0/tantivy-stacker-0.6.0/src/memory_arena.rs:150:9: 150:38
= note: inside `tantivy_stacker::MemoryArena::read::<u64>` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/tantivy-stacker/0.6.0/tantivy-stacker-0.6.0/src/memory_arena.rs:137:14: 137:54
note: inside `main`
--> src/main.rs:15:19
|
15 | let _x: u64 = arena.read::<u64>(forged);
| ^^^^^^^^^^^^^^^^^^^^^^^^^
note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
error: aborting due to 1 previous error