Skip to content

Fix handling empty AllowedMechanisms attribute #324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix handling empty AllowedMechanisms attribute #324

wants to merge 3 commits into from
+34 −12

Conversation

@Jakuje
Copy link
Collaborator

@Jakuje Jakuje commented Nov 20, 2025

As returned by SoftHSM: softhsm/SoftHSMv2#825

Fixes: #323

@Jakuje Jakuje mentioned this pull request Nov 20, 2025
Open
@Jakuje Jakuje force-pushed the allowed-mechanism-attribute branch from 03f686d to a2ac816 Compare November 20, 2025 11:03
nwalfield
nwalfield reviewed Nov 20, 2025
View reviewed changes
@Jakuje Jakuje force-pushed the allowed-mechanism-attribute branch from a2ac816 to 32243e0 Compare November 20, 2025 11:19
@Jakuje
Copy link
Collaborator Author

Jakuje commented Nov 20, 2025

OTOH this could be considered a softhsm bug (or at least oddness) and as a rust-cryptoki, we might want to shield a users from such pkcs11-module-specific issues. But then we would have to filter this out early in get_attributes, which does not sound great either.

@Jakuje Jakuje requested review from hug-dev and wiktor-k November 20, 2025 11:23
@nwalfield
Copy link
Contributor

nwalfield commented Nov 20, 2025
edited
Loading

You already pointed out that at least two attributes can definitely be zero length. It thus seems like a bug in rust-cryptoki that it tries to allocate 0 bytes and expects to get a pointer that can be cast to a raw pointer and passed to std::slice::from_raw_parts:

Behavior is undefined if any of the following conditions are violated:

    data must be non-null, valid for reads for len * size_of::<T>() many bytes, and it must be properly aligned

@Jakuje Jakuje mentioned this pull request Nov 20, 2025
Open
neverpanic
neverpanic reviewed Nov 20, 2025
View reviewed changes
@wiktor-k
Copy link
Collaborator

wiktor-k commented Nov 20, 2025

You already pointed out that at least two attributes can definitely be zero length. It thus seems like a bug in rust-cryptoki that it tries to allocate 0 bytes and expects to get a pointer that can be cast to a raw pointer and passed to std::slice::from_raw_parts:

Behavior is undefined if any of the following conditions are violated:

    data must be non-null, valid for reads for len * size_of::<T>() many bytes, and it must be properly aligned

Validity rules for reads explicitly point out that:

For memory accesses of size zero, every pointer is valid, including the null pointer.

I'm okay with the change here, with a bit of docs around it, since at first sight it looks like a premature optimization 🤔

@nwalfield
Copy link
Contributor

nwalfield commented Nov 20, 2025

You already pointed out that at least two attributes can definitely be zero length. It thus seems like a bug in rust-cryptoki that it tries to allocate 0 bytes and expects to get a pointer that can be cast to a raw pointer and passed to std::slice::from_raw_parts:

Behavior is undefined if any of the following conditions are violated:

    data must be non-null, valid for reads for len * size_of::<T>() many bytes, and it must be properly aligned

Validity rules for reads explicitly point out that:

For memory accesses of size zero, every pointer is valid, including the null pointer.

I'm okay with the change here, with a bit of docs around it, since at first sight it looks like a premature optimization 🤔

That's not the only relevant thing. From slice::from_raw_parts:

data must be non-null and aligned even for zero-length slices or slices of ZSTs.

And that's the bug that we are seeing.

@Jakuje Jakuje force-pushed the allowed-mechanism-attribute branch from 32243e0 to 84339fb Compare November 20, 2025 14:13
neverpanic
neverpanic reviewed Nov 20, 2025
View reviewed changes
Copy link

@neverpanic neverpanic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo, rest lg2m.

@Jakuje Jakuje force-pushed the allowed-mechanism-attribute branch from 84339fb to 0204b08 Compare November 20, 2025 14:28
hug-dev
hug-dev previously approved these changes Nov 24, 2025
View reviewed changes
Copy link
Member

@hug-dev hug-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix and the comment ⭐

@Jakuje
Copy link
Collaborator Author

Jakuje commented Dec 3, 2025

@wiktor-k can you have a look and approve if this looks ok?

wiktor-k
wiktor-k previously approved these changes Dec 3, 2025
View reviewed changes
Copy link
Collaborator

@wiktor-k wiktor-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good 👌 a couple of small suggestions, if you don't mind.

Btw, thanks for the ping, quite a lot on the plate recently 😅

Jakuje added 2 commits December 3, 2025 12:21
@Jakuje
object: Avoid crashing on zero-length AllowedMechanisms attribute
6b88a00 
As returned by SoftHSM: softhsm/SoftHSMv2#825

Fixes: parallaxsecond#323

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
@Jakuje
tests: Reproducer for empty AllowedMechanisms issue with SoftHSM
780b7a2 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
@Jakuje Jakuje dismissed stale reviews from wiktor-k and hug-dev via 780b7a2 December 3, 2025 11:21
@Jakuje Jakuje force-pushed the allowed-mechanism-attribute branch from 0204b08 to 780b7a2 Compare December 3, 2025 11:21
@Jakuje
Copy link
Collaborator Author

Jakuje commented Dec 3, 2025

oh, no. Something in the ubuntu broke the installation of the 32b arch softhsm ...

@hug-dev
Copy link
Member

hug-dev commented Dec 3, 2025

Is it this line failing? Might be ok to ignore for now...

sudo dpkg --add-architecture i386

@Jakuje
Copy link
Collaborator Author

Jakuje commented Dec 3, 2025

Is it this line failing? Might be ok to ignore for now...

sudo dpkg --add-architecture i386

Hard to say. Would have to try that locally or to get more information from the CI. I am also curious about the kryoptic failure that was not there in #328, in CI which ran last week.

@Jakuje
ci: Log executed commands
3c59e92 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wiktor-k wiktor-k wiktor-k left review comments

@hug-dev hug-dev hug-dev left review comments

+2 more reviewers

@neverpanic neverpanic neverpanic left review comments

@nwalfield nwalfield nwalfield left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Undefined behavior in CK_ATTRIBUTE::try_from or Session::get_attributes

5 participants

@Jakuje @nwalfield @wiktor-k @hug-dev @neverpanic