tor_dirmgr::storage::load is unsound due to mmap
load
uses memory mapping. This is quite hazardous. Waht if the file is modified under load
's feet?
I'm pretty sure I can make a POC where I pass a File
to load
which contains valid UTF-8, and induce storage.rs
to validate it (InputString::MappedBytes
with validated
set to true
), and then modify the file underneath to be invalid utf-8, generating UB.
This function is pub(crate)
so this doesn't mean the public crate API is unsound, but there is probably a way to get UB using the public API.
It may also be possible to get Arti to execute UB by editing these files under its feet. IDK what Arti policy is about that, but I think it's quite undesirable.