Narrowing conversion
Narrowing conversion
Posted Jul 21, 2021 23:05 UTC (Wed) by tialaramex (subscriber, #21167)Parent article: The Sequoia seq_file vulnerability
This is called an implicit narrowing conversion. Many modern languages outright forbid this, requiring that the programmer *explicitly* choose to perform a narrowing conversion or (perhaps better) even requiring that they explicitly decide what happens when the big thing won't fit in the small thing.
You can imagine that in kernel code, some sort of error, or panic should likely be the choice, if the programmer did not instead decide to approach the problem in a different way to avoid a narrowing conversion. Apparently out-of-box Windows MSVC programs warn if you do an implicit narrowing conversion but alas GCC does not, even under -Wall, although -Wconversion exists.
Since it's the topic du jour, in Rust you can't have implicit narrowing conversion, but it does provide an explicit conversion that can silently lose information in narrowing, programmers might write:
let signedInt = sixtyFourBitNumber as s32;
Whereas perhaps they ought to write:
let signedInt: s32 = sixtyFourBitNumber.try_into().unwrap(); // panic if it doesn't fit
or indeed:
let signedInt: s32 = sixtyFourBitNumber.try_into()? // only compiles if the function we do this in has a suitable error return
let signedInt: s32 = sixtyFourBitNumber.try_into().unwrap_or(SAFE_DEFAULT); // we're confident SAFE_DEFAULT is fine
Posted Jul 22, 2021 0:08 UTC (Thu)
by roc (subscriber, #30627)
[Link] (9 responses)
Posted Jul 22, 2021 0:41 UTC (Thu)
by Gaelan (guest, #145108)
[Link] (5 responses)
Posted Jul 22, 2021 1:21 UTC (Thu)
by roc (subscriber, #30627)
[Link] (3 responses)
I'm not sure what the best way to proceed from here is. One option would be to introduce that trait+method for truncating conversions, and deprecate or ban lossy "as" scalar conversions in a future edition. But obviously a lot of existing code would be affected.
Posted Jul 23, 2021 0:47 UTC (Fri)
by khim (subscriber, #9252)
[Link] (2 responses)
Isn't it something Rust editions are supposed to cover?
Posted Jul 23, 2021 7:50 UTC (Fri)
by Fowl (subscriber, #65667)
[Link] (1 responses)
Posted Jul 23, 2021 9:54 UTC (Fri)
by khim (subscriber, #9252)
[Link]
Not really. In Rust, unlike in C++, editions are supposed to coexist. You can write one crate in Rust 2015, another in Rust 2018, and third in Rust 2021. Sure, if you are actively developing your code then you would probably want to upgrade it, but there are no pressure to do that ASAP.
Posted Jul 23, 2021 16:40 UTC (Fri)
by jezuch (subscriber, #52988)
[Link]
FWIW, AFAICT Rust doesn't have implicit *widening* conversion either. Turns out, it too often turns into a footgun.
Posted Jul 22, 2021 8:30 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (2 responses)
If it is (clearly) changing the length of the storage field - as in between int32 and int64, why not? Only an extreme novice would think that you could stuff an int64 into an int32 and not run at least the risk of truncation. Okay if it's not obvious the target is an int32 then it's a more fuzzy issue.
Cheers,
Posted Jul 22, 2021 9:53 UTC (Thu)
by atnot (subscriber, #124910)
[Link]
Posted Jul 22, 2021 11:56 UTC (Thu)
by roc (subscriber, #30627)
[Link]
Posted Jul 28, 2021 16:33 UTC (Wed)
by sandsmark (guest, #62172)
[Link] (1 responses)
Again proving that the safety of Rust is just a subset of C++ with -Werror -Weverything. :-P
(And I'd say C++ discourages it even more because casting is uglier/more verbose, but people tend to just cast everything just to get rid of warnings/errors so you basically end up with implicit casting anyways.)
Posted Jul 28, 2021 17:07 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link]
Narrowing conversion
Narrowing conversion
Narrowing conversion
> But obviously a lot of existing code would be affected.
Narrowing conversion
Narrowing conversion
Narrowing conversion
Narrowing conversion
Narrowing conversion
Wol
Narrowing conversion
Narrowing conversion
Narrowing conversion
Narrowing conversion