Unsoundness bug in this crate by FixedBitSet::grow_and_insert #140
Description
Hi there!
We scanned the most popular libraries on crates.io and found some memory safety bugs in this library.
PoC
use fixedbitset::FixedBitSet;
fn main() {
// Start with an empty bitset so `grow(0)` is a no-op after overflow.
let mut bs = FixedBitSet::new();
// In release mode, `usize::MAX + 1` wraps to 0, so `grow(0)` won't grow,
// but `div_rem(usize::MAX, BITS)` yields a huge `blocks` index and
// `get_unchecked_mut(blocks)` does OOB pointer::add -> UB.
bs.grow_and_insert(usize::MAX);
let _ = bs.len();
}Miri Output
error: Undefined Behavior: in-bounds pointer arithmetic failed: attempting to offset pointer by 2305843009213693944 bytes, but got 0x10[noalloc] which is a dangling pointer (it has no provenance)
--> /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/fixedbitset/0.5.7/fixedbitset-0.5.7/src/lib.rs:177:15
|
177 | &mut *self.data.as_ptr().cast::<Block>().add(subblock)
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
= note: BACKTRACE:
= note: inside `fixedbitset::FixedBitSet::get_unchecked_mut` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/fixedbitset/0.5.7/fixedbitset-0.5.7/src/lib.rs:177:15: 177:63
= note: inside `fixedbitset::FixedBitSet::grow_and_insert` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/fixedbitset/0.5.7/fixedbitset-0.5.7/src/lib.rs:239:14: 239:44
note: inside `main`
--> src/main.rs:14:5
|
14 | bs.grow_and_insert(usize::MAX);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
error: aborting due to 1 previous error
We appreciate your work on this crate and hope this report helps improve its safety.