Summary
library/std/src/sys/process/uefi.rs uefi_command_internal::create_args builds a wide LoadOptions / shell command-line buffer from prog and args via encode_wide() without rejecting interior wide 0 units. UEFI treats these buffers as C-style wide strings (see os_string_to_raw and OwnedDevicePath::from_text, which already reject interior NULs). An embedded 0 truncates the command line at the first zero unit.
output() is the caller that passes the result to Image::set_args.
Origin
Audit of external-input trust boundaries in std (UEFI process spawn / wide-string helpers), SebTardif/rust fork of rust-lang/rust.
Affected code (upstream tip at audit time)
https://github.com/rust-lang/rust/blob/f28ac764c36/library/std/src/sys/process/uefi.rs#L875-L906
pub fn create_args(prog: &OsStr, args: &[OsString]) -> Box<[u16]> {
...
res.extend(prog.encode_wide());
...
for c in arg.encode_wide() { ... }
}
Suggested fix
Reject any OsStr whose encode_wide() yields a 0 unit (InvalidInput, same message as os_string_to_raw / OwnedDevicePath::from_text). Change create_args to return io::Result<Box<[u16]>> and propagate from output().
Impact
Low. UEFI is a specialty target; callers must pass OsStr/OsString segments with embedded NULs (possible via untrusted encoded bytes). Misbehavior is truncated command line / wrong child arguments, not memory unsafety in safe Rust.
Related
Summary
library/std/src/sys/process/uefi.rsuefi_command_internal::create_argsbuilds a wideLoadOptions/ shell command-line buffer fromprogandargsviaencode_wide()without rejecting interior wide0units. UEFI treats these buffers as C-style wide strings (seeos_string_to_rawandOwnedDevicePath::from_text, which already reject interior NULs). An embedded0truncates the command line at the first zero unit.output()is the caller that passes the result toImage::set_args.Origin
Audit of external-input trust boundaries in
std(UEFI process spawn / wide-string helpers), SebTardif/rust fork of rust-lang/rust.Affected code (upstream tip at audit time)
https://github.com/rust-lang/rust/blob/f28ac764c36/library/std/src/sys/process/uefi.rs#L875-L906
Suggested fix
Reject any
OsStrwhoseencode_wide()yields a0unit (InvalidInput, same message asos_string_to_raw/OwnedDevicePath::from_text). Changecreate_argsto returnio::Result<Box<[u16]>>and propagate fromoutput().Impact
Low. UEFI is a specialty target; callers must pass
OsStr/OsStringsegments with embedded NULs (possible via untrusted encoded bytes). Misbehavior is truncated command line / wrong child arguments, not memory unsafety in safe Rust.Related