Skip to content

Commit

Permalink
fix segfault documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@Creative0708
Creative0708 committed Feb 21, 2024
1 parent 365a779 commit d3f6321
Showing 1 changed file with 4 additions and 12 deletions.
16 changes: 4 additions & 12 deletions src/segfault.rs
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,11 @@
//! A 100% memory-safe segmentation fault.
//!
//! We use the soundness hole to create a mutable null reference to a `u8`.
//!
//! The smart pointer exists on the stack, but was dropped, so the reference
//! is borrowing arbitrary data on the stack. We can then fill the stack with zeros, which
//! replaces the smart pointer's address with zero, creating a null reference in safe Rust.
//!
//! By accessing the contents of the pointer, we force Rust to dereference the null pointer,
//! causing a segfault.
//!
//! > **Note:** In theory this should work with a normal box, but in practice Rust reads random
//! > memory instead of segfaulting on a null pointer. We think this is due to compiler
//! > optimisations.
//! We first use the soundness hole (and our transmute implementation) to create a mutable null reference to a `u8`.
//! Then, we dereference it to get a segmentation fault!
/// Segfaults the program.
///
/// See [`crate::transmute()`]
pub fn segfault() -> ! {
let null = crate::null_mut::<u8>();
*null = 42;
Expand Down

0 comments on commit d3f6321

Please sign in to comment.