File tree Expand file tree Collapse file tree 1 file changed +4
-12
lines changed Expand file tree Collapse file tree 1 file changed +4
-12
lines changed Original file line number Diff line number Diff line change 11//! A 100% memory-safe segmentation fault.
22//!
3- //! We use the soundness hole to create a mutable null reference to a `u8`.
4- //!
5- //! The smart pointer exists on the stack, but was dropped, so the reference
6- //! is borrowing arbitrary data on the stack. We can then fill the stack with zeros, which
7- //! replaces the smart pointer's address with zero, creating a null reference in safe Rust.
8- //!
9- //! By accessing the contents of the pointer, we force Rust to dereference the null pointer,
10- //! causing a segfault.
11- //!
12- //! > **Note:** In theory this should work with a normal box, but in practice Rust reads random
13- //! > memory instead of segfaulting on a null pointer. We think this is due to compiler
14- //! > optimisations.
3+ //! We first use the soundness hole (and our transmute implementation) to create a mutable null reference to a `u8`.
4+ //! Then, we dereference it to get a segmentation fault!
155
166/// Segfaults the program.
7+ ///
8+ /// See [`crate::transmute()`]
179pub fn segfault ( ) -> ! {
1810 let null = crate :: null_mut :: < u8 > ( ) ;
1911 * null = 42 ;
You can’t perform that action at this time.
0 commit comments