Skip to content

UEFI process::Command create_args does not reject interior NUL in program/args #601

Description

@SebTardif

Summary

library/std/src/sys/process/uefi.rs uefi_command_internal::create_args builds a wide LoadOptions / shell command-line buffer from prog and args via encode_wide() without rejecting interior wide 0 units. UEFI treats these buffers as C-style wide strings (see os_string_to_raw and OwnedDevicePath::from_text, which already reject interior NULs). An embedded 0 truncates the command line at the first zero unit.

output() is the caller that passes the result to Image::set_args.

Origin

Audit of external-input trust boundaries in std (UEFI process spawn / wide-string helpers), SebTardif/rust fork of rust-lang/rust.

Affected code (upstream tip at audit time)

https://github.com/rust-lang/rust/blob/f28ac764c36/library/std/src/sys/process/uefi.rs#L875-L906

pub fn create_args(prog: &OsStr, args: &[OsString]) -> Box<[u16]> {
    ...
    res.extend(prog.encode_wide());
    ...
    for c in arg.encode_wide() { ... }
}

Suggested fix

Reject any OsStr whose encode_wide() yields a 0 unit (InvalidInput, same message as os_string_to_raw / OwnedDevicePath::from_text). Change create_args to return io::Result<Box<[u16]>> and propagate from output().

Impact

Low. UEFI is a specialty target; callers must pass OsStr/OsString segments with embedded NULs (possible via untrusted encoded bytes). Misbehavior is truncated command line / wrong child arguments, not memory unsafety in safe Rust.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions