add marker trait to help check safety of guest memory reads #794
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
we noted that a pointer into guest memory must point to a properly-initialized T when read into Propolis, but there was no way to actually check that was a case. for example, it may be tempting to write an enum describing states of a guest device like:
and read/write to guest memory using the convenient read/write helpers. but a devious guest could put a
2
at that address, where reading that into Propolis would be UB.zerocopy::FromBytes
happens to have the same requirements about its implementors as we need, that they're always valid to view from bytes, so use it to check that we can safely read a type out of guest memory. in our case we'll always copy those bytes to our own buffer, butzerocopy::FromBytes
also comes with a great proc macro so we can#[derive(FromBytes)]
on structs to be copied out.