Skip to content

fix(iter): Fix Unsoundness in Filter/FilterMap::next_chunk#153813

Open
TKanX wants to merge 1 commit into
rust-lang:mainfrom
TKanX:bugfix/153803-filter-next-chunk-ub
Open

fix(iter): Fix Unsoundness in Filter/FilterMap::next_chunk#153813
TKanX wants to merge 1 commit into
rust-lang:mainfrom
TKanX:bugfix/153803-filter-next-chunk-ub

Conversation

@TKanX

@TKanX TKanX commented Mar 13, 2026

Copy link
Copy Markdown
Contributor

Summary:

2 unsoundness bugs in next_chunk_dropless / FilterMap::next_chunk: (1) N=0 triggers an out-of-bounds unsafe write before any bounds check; (2) a safe try_for_each can legally ignore ControlFlow::Break, writing past the array end.

Relates #98326

This fix is simple add defensive checks. If any better way please let me know.

Would it be better to panic in the case of a buggy try_for_each?
@KyleDavidE

Fix: add an if N == 0 early return, and panic! when idx >= N inside the closure.

Closes #153803

@rustbot rustbot added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Mar 13, 2026
@TKanX TKanX changed the title fix(iter): Fix unsoundness in Filter/FilterMap::next_chunk fix(iter): Fix Unsoundness in Filter/FilterMap::next_chunk Mar 13, 2026
@TKanX TKanX marked this pull request as ready for review March 13, 2026 09:53
@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Mar 13, 2026
@rustbot

rustbot commented Mar 13, 2026

Copy link
Copy Markdown
Collaborator

r? @scottmcm

rustbot has assigned @scottmcm.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: @scottmcm, libs
  • @scottmcm, libs expanded to 8 candidates
  • Random selection from Mark-Simulacrum, joboet, scottmcm

@rustbot

This comment has been minimized.

@KyleDavidE

Copy link
Copy Markdown

Would it be better to panic in the case of a buggy try_for_each?

@bend-n

bend-n commented Mar 13, 2026

Copy link
Copy Markdown
Contributor

you could also write a "manual" try_for_each instead, with a try { } block and a for loop

@TKanX TKanX marked this pull request as draft March 13, 2026 19:36
@rustbot rustbot added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 13, 2026
@TKanX

TKanX commented Mar 13, 2026

Copy link
Copy Markdown
Contributor Author

Would it be better to panic in the case of a buggy try_for_each?

Yes!

@TKanX TKanX force-pushed the bugfix/153803-filter-next-chunk-ub branch 2 times, most recently from 674a6cd to 088a316 Compare March 13, 2026 20:26
@TKanX

TKanX commented Mar 13, 2026

Copy link
Copy Markdown
Contributor Author

@KyleDavidE Thanks!

@TKanX TKanX marked this pull request as ready for review March 13, 2026 20:36
@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Mar 13, 2026
@KyleDavidE

Copy link
Copy Markdown

Another option would be to switch to using try_fold with a zst token accumulator. Because the impl can't conjure a new instance of the token, it would prevent calling the closure after it returns Break. This does depend on paramaticity arguments that I'm not 100% sure how much I trust.

@TKanX

TKanX commented Mar 13, 2026

Copy link
Copy Markdown
Contributor Author

Another option would be to switch to using try_fold with a zst token accumulator. Because the impl can't conjure a new instance of the token, it would prevent calling the closure after it returns Break. This does depend on paramaticity arguments that I'm not 100% sure how much I trust.

Does this approach still hold when the Iterator impl is unsafe?

@rust-log-analyzer

This comment has been minimized.

@KyleDavidE

Copy link
Copy Markdown

Another option would be to switch to using try_fold with a zst token accumulator. Because the impl can't conjure a new instance of the token, it would prevent calling the closure after it returns Break. This does depend on paramaticity arguments that I'm not 100% sure how much I trust.

Does this approach still hold when the Iterator impl is unsafe?

I'm pretty sure. https://doc.rust-lang.org/std/mem/fn.conjure_zst.html

Conjuring a zst in a way that breaks library invarents is not allowed.

…hunk`

Co-authored-by: Kyle Ehrlich <4015993+KyleDavidE@users.noreply.github.com>
@TKanX TKanX force-pushed the bugfix/153803-filter-next-chunk-ub branch from 088a316 to eacacdc Compare March 13, 2026 22:26
@scottmcm

Copy link
Copy Markdown
Member

r? @the8472

@rustbot rustbot assigned the8472 and unassigned scottmcm Mar 18, 2026
@rust-bors

rust-bors Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

☔ The latest upstream changes (presumably #158676) made this pull request unmergeable. Please resolve the merge conflicts by rebasing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Buffer overrun in Filter::next_chunk / FilterMap::next_chunk

7 participants