Skip to content

fix(iter): Fix Unsoundness in Filter/FilterMap::next_chunk#153813

Open
TKanX wants to merge 1 commit intorust-lang:mainfrom
TKanX:bugfix/153803-filter-next-chunk-ub
Open

fix(iter): Fix Unsoundness in Filter/FilterMap::next_chunk#153813
TKanX wants to merge 1 commit intorust-lang:mainfrom
TKanX:bugfix/153803-filter-next-chunk-ub

Conversation

@TKanX
Copy link
Copy Markdown
Contributor

@TKanX TKanX commented Mar 13, 2026
edited
Loading

Summary:

2 unsoundness bugs in next_chunk_dropless / FilterMap::next_chunk: (1) N=0 triggers an out-of-bounds unsafe write before any bounds check; (2) a safe try_for_each can legally ignore ControlFlow::Break, writing past the array end.

Relates #98326

This fix is simple add defensive checks. If any better way please let me know.

Would it be better to panic in the case of a buggy try_for_each?
@KyleDavidE

Fix: add an if N == 0 early return, and panic! when idx >= N inside the closure.

Closes #153803

@rustbot rustbot added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Mar 13, 2026
@TKanX TKanX changed the title fix(iter): Fix unsoundness in Filter/FilterMap::next_chunk fix(iter): Fix Unsoundness in Filter/FilterMap::next_chunk Mar 13, 2026
@TKanX TKanX marked this pull request as ready for review March 13, 2026 09:53
@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Mar 13, 2026
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented Mar 13, 2026

r? @scottmcm

rustbot has assigned @scottmcm.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: @scottmcm, libs
  • @scottmcm, libs expanded to 8 candidates
  • Random selection from Mark-Simulacrum, joboet, scottmcm

@rustbot

This comment has been minimized.

Sign in to view
@KyleDavidE
Copy link
Copy Markdown

KyleDavidE commented Mar 13, 2026

Would it be better to panic in the case of a buggy try_for_each?

@bend-n
Copy link
Copy Markdown
Contributor

bend-n commented Mar 13, 2026

you could also write a "manual" try_for_each instead, with a try { } block and a for loop

@TKanX TKanX marked this pull request as draft March 13, 2026 19:36
@rustbot rustbot added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 13, 2026
@TKanX
Copy link
Copy Markdown
Contributor Author

TKanX commented Mar 13, 2026

Would it be better to panic in the case of a buggy try_for_each?

Yes!

@TKanX TKanX force-pushed the bugfix/153803-filter-next-chunk-ub branch 2 times, most recently from 674a6cd to 088a316 Compare March 13, 2026 20:26
@TKanX
Copy link
Copy Markdown
Contributor Author

TKanX commented Mar 13, 2026

@KyleDavidE Thanks!

@TKanX TKanX marked this pull request as ready for review March 13, 2026 20:36
@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Mar 13, 2026
@KyleDavidE
Copy link
Copy Markdown

KyleDavidE commented Mar 13, 2026

Another option would be to switch to using try_fold with a zst token accumulator. Because the impl can't conjure a new instance of the token, it would prevent calling the closure after it returns Break. This does depend on paramaticity arguments that I'm not 100% sure how much I trust.

@TKanX
Copy link
Copy Markdown
Contributor Author

TKanX commented Mar 13, 2026

Another option would be to switch to using try_fold with a zst token accumulator. Because the impl can't conjure a new instance of the token, it would prevent calling the closure after it returns Break. This does depend on paramaticity arguments that I'm not 100% sure how much I trust.

Does this approach still hold when the Iterator impl is unsafe?

@rust-log-analyzer

This comment has been minimized.

Sign in to view
@KyleDavidE
Copy link
Copy Markdown

KyleDavidE commented Mar 13, 2026

Another option would be to switch to using try_fold with a zst token accumulator. Because the impl can't conjure a new instance of the token, it would prevent calling the closure after it returns Break. This does depend on paramaticity arguments that I'm not 100% sure how much I trust.

Does this approach still hold when the Iterator impl is unsafe?

I'm pretty sure. https://doc.rust-lang.org/std/mem/fn.conjure_zst.html

Conjuring a zst in a way that breaks library invarents is not allowed.

@TKanX @KyleDavidE
fix(iter): Panic on contract violation in Filter/`FilterMap::next_c…
eacacdc 
…hunk`

Co-authored-by: Kyle Ehrlich <4015993+KyleDavidE@users.noreply.github.com>
@TKanX TKanX force-pushed the bugfix/153803-filter-next-chunk-ub branch from 088a316 to eacacdc Compare March 13, 2026 22:26
@scottmcm
Copy link
Copy Markdown
Member

scottmcm commented Mar 18, 2026

r? @the8472

@rustbot rustbot assigned the8472 and unassigned scottmcm Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@the8472 the8472

Labels

S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Buffer overrun in Filter::next_chunk / FilterMap::next_chunk

7 participants

@TKanX @rustbot @KyleDavidE @bend-n @rust-log-analyzer @scottmcm @the8472