The Sequoia seq_file vulnerability

For this vulnerability what we've got is a narrowing conversion rather than conventional integer overflow. There's discussion above this on LWN. In C narrowing conversions are implicit -- if you assign a huge number into a small integer type, the compiler shrugs and throws away whatever doesn't fit. Rust's conversions are explicit -- if the types don't match you need to say "as" to get it converted, however a programmer may not be brought up short by the need for conversion and realise this is a terrible idea because some of their values get thrown away.

If you would rather overflow checks also happen in production, you can ask for the Rust compiler setting overflow-checks = true in your production builds, as well as debug where it is default.

However, that would turn such bugs into a kernel crash, rather than local root. Not really what you want.

Rust also lets you explicitly say what you intend to happen for overflow. For example you can say you want saturating arithmetic (127_i8.saturating_add(1_i8) == 127_i8) or wrapping arithmetic (127_i8.wrapping_add(1_i8) == -128_i8) and now, at last, you've actually expressed your intention and so it's more likely this code might do what you intended rather than crashing or worse.

Ultimately if the programmer did not express any intent, it's difficult to see what a practical general purpose language ought to do.

In WUFFS they get to just reject all programs that don't specify. So if you look at byte A and byte B and you purport that you can add those together A+B and store the result as one byte, the WUFFS compiler rejects that code. You need to spell out constraints so that A and B will be small enough for this to work (WUFFS will check the constraints at runtime and error out if they are not met) OR explain how the addition should saturate or wrap to get one byte out (then WUFFS generates code that does so).

This feels like an appropriate discipline in their situation, but most programmers would chafe badly under those conditions.