Possible unsoundness with uninit `to_guest: &mut [u32]` for syscalls

[thaliaarchi]

I think it may be unsound for Syscall to send data from the host to guest via to_guest: &mut [u32], when the pointer given by the guest is to an uninitialized allocation. I think use of sys_read or sys_read_words with uninitialized buffers could trigger UB. I think it should instead be &mut [MaybeUninit<u32>].

My motivation for this comes from wanting to implement Read::read_buf for the RISC Zero version of std::io::Stdin (tracked in rust-lang/rust#136756).

If this sounds good, I could submit a PR here similar to what I did for the Hermit unikernel in hermit-os/kernel#1606 (Use uninitialized buffers for read and recvfrom). However, since each file descriptor is associated with a dyn Read and Read::read_buf is currently unstable, this might not be possible.

On the other hand, Rust tentatively does not have full recursive validity for references, so as long as uninitialized data is not read, you might be fine. @RalfJung?

Steps to reproduce

This patch to std, which implements Read::read_buf for RISC Zero stdin, would encounter this issue.

Since I know little about RISC Zero, here's my understanding of the relevant bits, so you can correct me if I'm wrong:

Trace from the C FFI to the underlying Read::read calls

• Guest code invokes a function in the C FFI, passing a buffer via a *mut u8 and usize length:

  risc0/risc0/zkvm/platform/src/syscall.rs

  Line 482 in 711b163

  pub unsafe extern "C" fn sys_read(fd: u32, recv_ptr: *mut u8, nread: usize) -> usize {

• It invokes a syscall via ecall, passing the pointer and length by a0 and a1 registers and :

  risc0/risc0/zkvm/platform/src/syscall.rs

  Lines 584 to 590 in 711b163

  	syscall_2(
  	nr::SYS_READ,
  	recv_ptr,
  	min(nwords_remain, MAX_BUF_WORDS),
  	fd,
  	chunk_len,
  	)

  risc0/risc0/zkvm/platform/src/syscall.rs

  Lines 236 to 251 in 711b163

  	::core::arch::asm!(
  	"ecall",
  	in("t0") $crate::syscall::ecall::SOFTWARE,
  	inlateout("a0") from_host => a0,
  	inlateout("a1") from_host_words => a1,
  	in("a2") syscall.as_ptr()
  	$(,in("a3") $a0
  	$(,in("a4") $a1
  	$(,in("a5") $a2
  	$(,in("a6") $a3
  	$(,in("a7") $a4
  	)?
  	)?
  	)?
  	)?
  	)?);

• It is somehow transmitted to the host. I'm fuzzy here. I assume the guest and host are on the same system?

• The host resolves the syscall

  risc0/risc0/zkvm/src/host/server/exec/syscall/mod.rs

  Lines 197 to 199 in 711b163

  	pub(crate) fn get_syscall(&self, name: &str) -> Option<&Rc<RefCell<(dyn Syscall + 'a)>>> {
  	self.inner.get(name)
  	}

  from the table:

  risc0/risc0/zkvm/src/host/server/exec/syscall/mod.rs

  Line 174 in 711b163

  .with_syscall(SYS_READ, SysRead)

• And calls the appropriate impl Syscall:

  risc0/risc0/zkvm/src/host/server/exec/syscall/posix_io.rs

  Lines 26 to 32 in 711b163

  	impl Syscall for SysRead {
  	fn syscall(
  	&mut self,
  	_syscall: &str,
  	ctx: &mut dyn SyscallContext,
  	to_guest: &mut [u32],
  	) -> Result<(u32, u32)> {

  which casts to_guest to a &mut [u8], adjusting the length to be in bytes:

  risc0/risc0/zkvm/src/host/server/exec/syscall/posix_io.rs

  Line 63 in 711b163

  let to_guest_u8 = bytemuck::cast_slice_mut(to_guest);

• It then resolves std::io::Read instance for the given fd, which is either a std::io::Cursor<Vec<u8>> for stdin

  risc0/risc0/zkvm/src/host/client/posix_io.rs

  Line 39 in 711b163

  new.with_read_fd(fileno::STDIN, Cursor::new(vec![]))

  or some other dyn Read:

  risc0/risc0/zkvm/src/host/client/posix_io.rs

  Lines 62 to 64 in 711b163

  	pub fn with_read_fd(&mut self, fd: u32, reader: impl Read + 'a) -> &mut Self {
  	self.with_shared_read_fd(fd, Rc::new(RefCell::new(reader)))
  	}

• It then calls std::io::Read::read until enough of the buffer is filled:

  risc0/risc0/zkvm/src/host/server/exec/syscall/posix_io.rs

  Lines 50 to 61 in 711b163

  	let read_all = |mut buf: &mut [u8]| -> Result<usize> {
  	let mut tot_nread = 0;
  	while !buf.is_empty() {
  	let nread = reader.borrow_mut().read(buf)?;
  	if nread == 0 {
  	break;
  	}
  	tot_nread += nread;
  	(_, buf) = buf.split_at_mut(nread);
  	}
  	Ok(tot_nread)
  	};

  This API expects the buffer to be fully initialized.

[linear]

ZKVM-1110 Possible unsoundness with uninit `to_guest: &mut [u32]` for syscalls

[bobbobbio]

I think you might be mistaken about where this reference is coming from

The call to the syscall handler passes in a normal buffer

risc0/risc0/circuit/rv32im/src/prove/emu/exec/mod.rs

Lines 477 to 481 in 711b163

	let mut to_guest = vec![0u32; into_guest_len];
	let (a0, a1) = self
	.syscall_handler
	.syscall(&syscall_name, self, &mut to_guest)?;

Then later in that function we write it into the guest's memory. From the perspective of the host (or hypervisor) this memory is all initialized.

[thaliaarchi]

Thanks for the pointer. It makes sense for your verification that you'd retain a buffer of the results from each syscall. raw_store_u8 looks fishy, though. It reads a word from the guest so it can overwrite a byte within it. This means it reads the entirety of the guest's into_guest_ptr/into_guest_len range as it is writing to it. I'll submit a patch making it use word-aligned writes without peeking.

Also, is this the only executor or do you have multiple ways syscalls can be executed (e.g., inside a VM, on a remote machine, etc.)?

risc0/risc0/circuit/rv32im/src/prove/emu/exec/mod.rs

Line 494 in fc20a48

self.store_region(into_guest_ptr, bytemuck::cast_slice(&syscall.to_guest))?;

risc0/risc0/circuit/rv32im/src/prove/emu/exec/mod.rs

Lines 737 to 749 in fc20a48

	fn store_region(&mut self, addr: ByteAddr, slice: &[u8]) -> Result<()> {
	// tracing::trace!("store_region({addr:?}, {slice:02x?})");
	if !self.trace.is_empty() {
	self.pending.events.insert(TraceEvent::MemorySet {
	addr: addr.0,
	region: slice.into(),
	});
	}
	slice
	.iter()
	.enumerate()
	.try_for_each(|(i, x)| self.raw_store_u8(addr + i, *x))?;

risc0/risc0/circuit/rv32im/src/prove/emu/exec/mod.rs

Lines 728 to 735 in fc20a48

	fn raw_store_u8(&mut self, addr: ByteAddr, byte: u8) -> Result<()> {
	let byte_offset = addr.0 as usize % WORD_SIZE;
	let word = self.peek_u32(addr)?;
	let mut bytes = word.to_le_bytes();
	bytes[byte_offset] = byte;
	let word = u32::from_le_bytes(bytes);
	self.raw_store_memory(addr.waddr(), word)
	}

[bobbobbio]

I should be okay for the host to be reading this range of memory. I know its kinda confusing, but from the host's perspective this memory is not uninitialized.

This memory in the host is the backing store for the memory in the guest, and in the guest indeed this memory is uninitialized, but only from the guest's perspective. From the host's perspective this is just a normal piece of memory that we indeed initialized earlier before even letting the guest write into it.

Also, is this the only executor or do you have multiple ways syscalls can be executed (e.g., inside a VM, on a remote machine, etc.)?

There is only one way for guest programs to run, and that is inside our zkVM.

[thaliaarchi]

Thank you for explaining everything. This makes sense now and I've submitted rust-lang/rust#137349, since it's a non-issue.