patina_internal_collections: Fix UB memory read in Node fields#1152
Merged
makubacki merged 7 commits intoOpenDevicePartnership:mainfrom Apr 2, 2026
Merged
patina_internal_collections: Fix UB memory read in Node fields#1152makubacki merged 7 commits intoOpenDevicePartnership:mainfrom
makubacki merged 7 commits intoOpenDevicePartnership:mainfrom
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
garybeihl
force-pushed
the
fix-node-uninit
branch
2 times, most recently
from
492ef76 to
7a57e63
Compare
os-d
reviewed
Dec 3, 2025
joschock
reviewed
Dec 3, 2025
Javagedes
reviewed
Dec 3, 2025
Javagedes
reviewed
Dec 3, 2025
garybeihl
force-pushed
the
fix-node-uninit
branch
4 times, most recently
from
f0178c1 to
b1385f8
Compare
garybeihl
force-pushed
the
fix-node-uninit
branch
2 times, most recently
from
ae5dcec to
7fcea9b
Compare
Contributor
|
Hi @garybeihl , I noticed you've been keeping this PR up to date, but not working on it (which is completely fine). I just wanted to make sure you were not waiting on additional information from any of us that have commented on this PR (i.e. make sure we are not blocking you in any way)! |
Contributor
Author
|
No - not blocked - I uploaded a version of the changes that uses MaybeUninit and D: Default - just waiting for further comments or change requests. If you could have a look when you get a chance, that would be great - thanks! |
joschock
approved these changes
Dec 19, 2025
garybeihl
force-pushed
the
fix-node-uninit
branch
3 times, most recently
from
a3c3321 to
490f0cf
Compare
garybeihl
force-pushed
the
fix-node-uninit
branch
from
490f0cf to
82593c8
Compare
makubacki
reviewed
Jan 12, 2026
garybeihl
force-pushed
the
fix-node-uninit
branch
4 times, most recently
from
f6e8da6 to
84636f4
Compare
…ment Replace Default trait requirement with MaybeUninit wrapper for Node data field. Only initialize data when nodes move from available to in-use list. Fixes UB where Cell::set() was reading uninitialized memory.
garybeihl
force-pushed
the
fix-node-uninit
branch
from
84636f4 to
e2a9857
Compare
Add safety documentation to all unsafe blocks in production code. Add allow(clippy::undocumented_unsafe_blocks) to test modules to avoid redundant safety comments for test assertions.
Contributor
Author
|
Is there anything more for me to do here? If not, can I get another approval? |
makubacki
approved these changes
Feb 12, 2026
Collaborator
makubacki
left a comment
makubacki
left a comment
There was a problem hiding this comment.
@Javagedes & @joschock should have a final review as well.
Contributor
✅ QEMU Validation PassedAll QEMU validation jobs completed successfully.
Workflow run: https://github.com/OpenDevicePartnership/patina/actions/runs/23915461797 Boot Time to EFI Shell
Dependencies
This comment was automatically generated by the Patina QEMU PR Validation Post workflow. |
Contributor
Author
|
Ping - please review so I can close this and move on to other Miri-found issues. Thanks! |
makubacki
reviewed
Mar 5, 2026
Javagedes
approved these changes
Mar 10, 2026
- Use MaybeUninit<Node<D>> in expand() to avoid UB from creating references to uninitialized memory - Change Node data field visibility from pub to pub(crate) - Fix expand() copy loop to iterate 0..self.len() instead of 0..self.capacity() to avoid reading uninitialized data - Remove module-level #[allow(clippy::undocumented_unsafe_blocks)] in favor of per-block safety comments Signed-off-by: Gary Beihl <garybeihl@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes an undefined behavior issue where
Cell::set()reads uninitialized memory during linked list creation inStorage::resize().Root Cause
Cell::set()internally usesmem::replace(), which reads the old value before writing the new one.Storage::resize()allocates new nodes and callsbuild_linked_list(), the Cell fields contain uninitialized memory.Impact
Fix
ptr::write()beforebuild_linked_list()addr_of_mut!()to read field pointers without creating references to uninitialized dataIntroduced by
AtomicPtr::store()writes without reading the old value, butCell::set()usesmem::replace()which reads before writingRelated to #560
How This Was Tested
cargo +nightly-2025-09-19 miri test -p patina_dxe_core.Integration Instructions
N/A