user_ptr: Use wrapping_add instead of add to avoid UB

geofft · alex · commit 15bdc7d16f1c · 2018-06-10T17:54:43.000Z
`pointer::add` and `pointer::offset` turn into a `getelementptr
inbounds`, which is UB if it does not point to a valid object or one
past a valid object (i.e., it enables compiler optimizations that make
that assumption).  Raw pointers to userspace are not pointers to valid
objects.

`pointer::wrapping_add` and `pointer::wrapping_offset` turn into a
`getelementptr`, which is always defined (and so they're both safe).
diff --git a/src/user_ptr.rs b/src/user_ptr.rs
@@ -61,9 +61,10 @@ impl UserSlicePtrReader {
         if res != 0 {
             return Err(error::Error::EFAULT);
         }
-        unsafe {
-            self.0 = self.0.add(data.len());
-        }
+        // Since this is not a pointer to a valid object in our program,
+        // we cannot use `add`, which has C-style rules for defined
+        // behavior.
+        self.0 = self.0.wrapping_offset(data.len());
         self.1 -= data.len();
         return Ok(());
     }
@@ -86,9 +87,10 @@ impl UserSlicePtrWriter {
         if res != 0 {
             return Err(error::Error::EFAULT);
         }
-        unsafe {
-            self.0 = self.0.add(data.len());
-        }
+        // Since this is not a pointer to a valid object in our program,
+        // we cannot use `add`, which has C-style rules for defined
+        // behavior.
+        self.0 = self.0.wrapping_offset(data.len());
         self.1 -= data.len();
         Ok(())
     }
