Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[master] Fix CVE-2021-42574 #90462

Merged
merged 3 commits into from
Nov 1, 2021
Merged

[master] Fix CVE-2021-42574 #90462

merged 3 commits into from
Nov 1, 2021

Conversation

pietroalbini
Copy link
Member

This PR implements new lints to mitigate the impact of CVE-2021-42574, caused by the presence of bidirectional-override Unicode codepoints in the compiled source code. See the advisory for more information about the vulnerability.

The changes in this PR will be released in tomorrow's nightly release.

@rust-highfive
Copy link
Collaborator

r? @michaelwoerister

(rust-highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Nov 1, 2021
@pietroalbini
Copy link
Member Author

The fix was developed by @estebank and reviewed by @nikomatsakis out of band.

@bors r=nikomatsakis p=250 rollup=never

@bors
Copy link
Contributor

bors commented Nov 1, 2021

📌 Commit a567c8a has been approved by nikomatsakis

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Nov 1, 2021
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@bors
Copy link
Contributor

bors commented Nov 1, 2021

⌛ Testing commit a567c8a with merge 64361dd1e4c809de1e72b198d08ba9fa549244d8...

@bors
Copy link
Contributor

bors commented Nov 1, 2021

💔 Test failed - checks-actions

@bors bors added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. labels Nov 1, 2021
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@pietroalbini
Copy link
Member Author

Fixed formatting.

@bors r=nikomatsakis,pietroalbini p=250 rollup=never

@bors
Copy link
Contributor

bors commented Nov 1, 2021

📌 Commit cdd3b86 has been approved by nikomatsakis,pietroalbini

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Nov 1, 2021
@bors
Copy link
Contributor

bors commented Nov 1, 2021

⌛ Testing commit cdd3b86 with merge db14a17...

@bors
Copy link
Contributor

bors commented Nov 1, 2021

☀️ Test successful - checks-actions
Approved by: nikomatsakis,pietroalbini
Pushing db14a17 to master...

@bors bors added the merged-by-bors This PR was explicitly merged by bors. label Nov 1, 2021
@bors bors merged commit db14a17 into rust-lang:master Nov 1, 2021
@rustbot rustbot added this to the 1.58.0 milestone Nov 1, 2021
@rust-highfive
Copy link
Collaborator

📣 Toolstate changed by #90462!

Tested on commit db14a17.
Direct link to PR: #90462

🎉 rls on linux: test-fail → test-pass (cc @Xanewok).

rust-highfive added a commit to rust-lang-nursery/rust-toolstate that referenced this pull request Nov 1, 2021
@rust-highfive
📣 Toolstate changed by rust-lang/rust#90462!
f1d0760 
Tested on commit rust-lang/rust@db14a17.
Direct link to PR: <rust-lang/rust#90462>

🎉 rls on linux: test-fail → test-pass (cc @Xanewok).
@bors bors mentioned this pull request Nov 1, 2021
Merged
@rust-timer
Copy link
Collaborator

Finished benchmarking commit (db14a17): comparison url.

Summary: This change led to very large relevant mixed results 🤷 in compiler performance.

  • Small improvement in instruction counts (up to -0.5% on full builds of deeply-nested-async)
  • Very large regression in instruction counts (up to 14.2% on incr-unchanged builds of coercions)

If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf.

Next Steps: If you can justify the regressions found in this perf run, please indicate this with @rustbot label: +perf-regression-triaged along with sufficient written justification. If you cannot justify the regressions please open an issue or create a new PR that fixes the regressions, add a comment linking to the newly created issue or PR, and then add the perf-regression-triaged label to this PR.

@rustbot label: +perf-regression

@rustbot rustbot added the perf-regression Performance regression. label Nov 1, 2021
@pietroalbini pietroalbini deleted the bidi-master branch November 1, 2021 16:43
est31
est31 reviewed Nov 1, 2021
View reviewed changes
compiler/rustc_lint/src/hidden_unicode_codepoints.rs
/// ```rust,compile_fail
/// #![deny(text_direction_codepoint_in_literal)]
/// fn main() {
/// println!("{:?}", '‮');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this able to compile without an #[allow]? I've thought the lint also forbids usage in doc comments? Or are examples exempt?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting... The test itself is a compile_fail, but you're saying it should fail at the library level?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@est31 is saying that the lint should trigger when compiling hidden_unicode_codepoints.rs because it appears in a doc-comment. Now that it is pointed out, clearly there's something amiss as well here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's been pointed out on the main PR as well (should have checked that PR before making the comment): #90460 (review)

@pnkfelix pnkfelix mentioned this pull request Nov 2, 2021
Open
@hkratz hkratz mentioned this pull request Nov 4, 2021
Merged
@estebank estebank mentioned this pull request Jan 19, 2023
Closed
This was referenced Jul 5, 2023
Open
Open
@fmease fmease mentioned this pull request Nov 25, 2024
Open
@jieyouxu jieyouxu added the L-text_direction_codepoint_in_literal Lint: text_direction_codepoint_in_literal label Dec 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@est31 est31 est31 left review comments

@estebank estebank estebank left review comments

@cuviper cuviper cuviper left review comments

Assignees

@nikomatsakis nikomatsakis

Labels
L-text_direction_codepoint_in_literal Lint: text_direction_codepoint_in_literal merged-by-bors This PR was explicitly merged by bors. perf-regression Performance regression. S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Milestone
1.58.0
Development

Successfully merging this pull request may close these issues.