fix soundness issue with preallocated_gen_new

[apoelstra]

Stop this from being a generic function over all contexts, to only a function generic over contexts where we can bound the lifetime precisely. Introduces a new unsafe trait. I believe the only code this breaks was already unsound:

• code that tried to use one of the *Preallocated context markers with an incorrect lifetime
• code that tried to use preallocated_gen_new with a non-*Preallocated marker, which I believe we allowed before (I just noticed this now) and almost certainly would've led to UB on drop

Fixes #543

[apoelstra]

I'm not thrilled with this solution but it's a start so we can at least discuss what a better one might look like.

[tcharding]

I tested this with the code from @Kixunil, and with this applied we get

error[E0597]: `*array` does not live long enough
 --> src/main.rs:6:87
  |
6 |     secp256k1::Secp256k1::<secp256k1::AllPreallocated<'static>>::preallocated_gen_new(&mut *array).unwrap()
  |                                                                                       ^^^^^^^^^^^
  |                                                                                       |
  |                                                                                       borrowed value does not live long enough
  |                                                                                       cast requires that `*array` is borrowed for `'static`
7 | }
  | - `*array` dropped here while still borrowed

Which is exactly what we were after, right?

[tcharding]

Two comments; we can macroize this and also the trait needs to be public.

macro_rules! impl_preallocated_gen_new {
	($ty:ty) => {
		/// Lets you create a context with a preallocated buffer in a generic manner (sign/verify/all).
		fn preallocated_gen_new(buf: &'buf mut [AlignedType]) -> Result<Self, Error> {
			#[cfg(target_arch = "wasm32")]
			ffi::types::sanity_checks_for_wasm();

			if buf.len() < Self::preallocate_size_gen() {
				return Err(Error::NotEnoughMemory);
			}
			Ok(Secp256k1 {
				ctx: unsafe {
					NonNull::new_unchecked(ffi::secp256k1_context_preallocated_create(
						buf.as_mut_c_ptr() as *mut c_void,
						<$ty>::FLAGS,
					))
				},
				phantom: PhantomData,
			})
		}
	}
}
impl<'buf> PreallocatedContext<'buf> for Secp256k1<AllPreallocated<'buf>> {
	impl_preallocated_gen_new!(AllPreallocated<'buf>);
}
impl<'buf> PreallocatedContext<'buf> for Secp256k1<VerifyOnlyPreallocated<'buf>> {
	impl_preallocated_gen_new!(VerifyOnlyPreallocated<'buf>);
}
impl<'buf> PreallocatedContext<'buf> for Secp256k1<SignOnlyPreallocated<'buf>> {
	impl_preallocated_gen_new!(SignOnlyPreallocated<'buf>);
}

And, on a lighter note, this PR shows who round here is the C ludite that puts definitions above where they are used. I say that with much endearment and kindness as one often called a ludite to another :)

[Kixunil]

100% agree. You could also macroize the impl... line :)

Also notably we could keep inherent method just forwarding to trait. This would keep the currently-sound client code working after upgrade and avoid annoying imports.

[Kixunil]

I also realized none of this duplication/macro stuff would be needed if PreallocatedContext was an unsafe marker trait. Any specific reason you didn't choose it @apoelstra ?

[apoelstra]

I figured, making stuff unsafe that didn't use to be would be a more annoying change for users than doing something ugly. I don't feel strongly about this.

We could actually leave the code alone except to mark the existing preallocated_gen_new funciton unsafe. And/or we could just make it private, and insist users go through the more specific Secp256k1::<AllPreallocated<'a>>::preallocated_new etc methods.

[Kixunil]

unsafe trait is `unsafe to implement but safe to use. The API would be almost identical to the current, it'd just disallow unsound usage. So if someone used it soundly, without any generic crazyness it would work without change. Guaranteed UB would be guaranteed to fail to compile. Funny generics would have to be adjusted slightly but work as before.

[apoelstra]

Ah! I'm sorry, I misunderstood what you were suggesting.

Now I understand you to be suggesting: (1) add a new unsafe marker trait PreallocatedContext<'a>; (2) impl this for the three preallocated context markes e.g. AllPreallocated<'a>; (3) change the bound on preallocated_gen_new from C: Context + 'buf to C: Context + PreallocatedContext<'buf>.

I believe this would work. I'll try it.

[Kixunil]

Exactly.

[Kixunil]

At minimum the trait really needs to be pub.

Also are we going to backport this? (I vote yes and also yank old versions.) This is API-breaking but I suggest we adopt Rust policy of allowing API breakages for soundness fixes.

I also plan to file RustSec entry once the fix is released.

[Kixunil]

100% agree. You could also macroize the impl... line :)

Also notably we could keep inherent method just forwarding to trait. This would keep the currently-sound client code working after upgrade and avoid annoying imports.

[apoelstra]

Also are we going to backport this? (I vote yes and also yank old versions.) This is API-breaking but I suggest we adopt Rust policy of allowing API breakages for soundness fixes.

I don't feel strongly about it. I think it's obscure enough and "only if you use the method in a clearly wrong way" enough that it's not a big deal. But I get your argument and I won't say no if you want to backport-and-yank.

Especially if we decide to fix it just by tacking unsafe and some extra docs on the generic preallocated_gen_new method.

[Kixunil]

I feel like if I had a satoshi for every "use in a clearly wrong way" I'd cause another overflow bug...

So yes please, especially if we just fix the bound using unsafe trait. :)

[apoelstra]

Ok, pushed to use @Kixunil's unsafe solution. Much much better!

[apoelstra]

lol, we should move the fmt check out of the ASAN CI job ... it freaks me out every time that one fails

[Kixunil]

ACK 1e6eb6c

I also tested that my example doesn't compile.

We might make the trait sealed but I'm not sure if it'd interfere with other crates extending secp256k1 (e.g. zkp fork).

[tcharding]

ACK 1e6eb6c

[Kixunil]

FYI I have RustSec report prepared assuming we will backport the fix to 0.24.2. Feel free to review it including complaining about grammar.

[Kixunil]

Also new piece of information: yanked crates don't show on docs.rs which makes inspection extra hard (e.g. yanked version 0.13 is the last one that didn't have the affected method). Therefore I'm now against yanking all affected versions of the crate. I think it could be good to yank 0.24.1 as a simple way to signal the issue to users not using cargo audit (cargo warns when you're trying to build a yanked crate) but I wouldn't go beyond that.

[Kixunil]

code that tried to use preallocated_gen_new with a non-*Preallocated marker, which I believe we allowed before (I just noticed this now) and almost certainly would've led to UB on drop

Oh crap, only noticed it now. Good point! I tested it and it is the case. So I now have to update the report. 😄
Edit: report updated.

[apoelstra]

@Kixunil thanks, your rustsec advisory looks great!

Agreed about yanking 0.24.1 as a signal. I think we should also backport to 0.23 and 0.22, using the heuristic that rust-bitcoin 0.28 uses 0.22. So then users of the most recent and second-most recent rust-bitcoin would get a signal. (rust-bitcoin doesn't call preallocated_gen_new anywhere of course, but I'm using it as a prototypical rust-secp-dependent project)

[Kixunil]

Oh, good point, agree!