`Read` on uninitialized buffer may cause UB (`impl Walue for Vec<u8>`)

[JOE1994]

Hello fellow 🦀,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.

Issue Description

postscript/src/tape.rs

Lines 97 to 112 in 36a1cd2

	macro_rules! walue {
	($kind:ty, 1) => (
	impl Walue for $kind {
	type Parameter = usize;
	fn read<T: Tape>(tape: &mut T, count: usize) -> Result<Self> {
	let mut buffer = Vec::with_capacity(count);
	unsafe { buffer.set_len(count) };
	::std::io::Read::read_exact(tape, &mut buffer)?;
	Ok(buffer)
	}
	}
	);
	}
	walue!(Vec<u8>, 1);

<std::vec::Vec<u8> as tape::Walue>::read() method creates an uninitialized buffer and passes it to user-provided Read implementation. This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory).

This part from the Read trait documentation explains the issue:

It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit<T>) is not safe, and can lead to undefined behavior.

How to fix the issue?

The Naive & safe way to fix the issue is to always zero-initialize a buffer before lending it to a user-provided Read implementation. Note that this approach will add runtime performance overhead of zero-initializing the buffer.

As of Jan 2021, there is not yet an ideal fix that works in stable Rust with no performance overhead. Below are links to relevant discussions & suggestions for the fix.

• Well-written document regarding the issue
• Rust RFC 2930
• nightly feature std::io::Initializer
• Discussion in Rust Internals Forum

[IvanUkhov]

Thank you! Fixed.