Remove some unsafe code; fix a soundness hole

Replace a number of lines of unsafe code with safe equivalents, some
using `zerocopy`. In one instance, fix a soundness hole (#720).

Closes #720

Author: joshlf

Cargo.lock

@@ -28,6 +28,7 @@ exclude = [
 [dependencies]
 cfg-if = "1.0"
 rustc-demangle = "0.1.24"
+zerocopy = "0.8.26"
 
 # Optionally enable the ability to serialize a `Backtrace`, controlled through
 # the `serialize-serde` feature below.

Cargo.toml

@@ -15,6 +15,7 @@ bench = false
 cfg-if = "1.0"
 rustc-demangle = "0.1.21"
 libc = { version = "0.2.156", default-features = false }
+zerocopy = "0.8.26"
 
 [target.'cfg(not(all(windows, target_env = "msvc", not(target_vendor = "uwp"))))'.dependencies]
 miniz_oxide = { version = "0.8", optional = true, default-features = false }

crates/as-if-std/Cargo.toml

@@ -1,7 +1,7 @@
 use core::fmt::{self, Write};
-use core::mem::{size_of, transmute};
 use core::slice::from_raw_parts;
 use libc::c_char;
+use zerocopy::FromBytes;
 
 unsafe extern "C" {
     // dl_iterate_phdr takes a callback that will receive a dl_phdr_info pointer
@@ -181,15 +181,12 @@ fn take_bytes_align4<'a>(num: usize, bytes: &mut &'a [u8]) -> Option<&'a [u8]> {
 // architectures correctness). The values in the Elf_Nhdr fields might
 // be nonsense but this function ensures no such thing.
 fn take_nhdr<'a>(bytes: &mut &'a [u8]) -> Option<&'a Elf_Nhdr> {
-    if size_of::<Elf_Nhdr>() > bytes.len() {
-        return None;
-    }
-    // This is safe as long as there is enough space and we just confirmed that
-    // in the if statement above so this should not be unsafe.
-    let out = unsafe { transmute::<*const u8, &'a Elf_Nhdr>(bytes.as_ptr()) };
-    // Note that sice_of::<Elf_Nhdr>() is always 4-byte aligned.
-    *bytes = &bytes[size_of::<Elf_Nhdr>()..];
-    Some(out)
+    let (hdr, suffix) = <[u32; 3]>::ref_from_prefix(*bytes).ok()?;
+    *bytes = suffix;
+
+    let hdr: *const [u32; 3] = hdr;
+    // SAFETY: `[u32; 3]` and `Elf_Nhdr` have the same layout.
+    Some(unsafe { &*hdr.cast::<Elf_Nhdr>() })
 }
 
 impl<'a> Iterator for NoteIter<'a> {

src/print/fuchsia.rs

@@ -222,9 +222,35 @@ unsafe fn do_resolve(
     get_line_from_addr: impl FnOnce(&mut IMAGEHLP_LINEW64) -> BOOL,
     cb: &mut dyn FnMut(&super::Symbol),
 ) {
-    const SIZE: usize = 2 * MAX_SYM_NAME as usize + mem::size_of::<SYMBOL_INFOW>();
-    let mut data = Aligned8([0u8; SIZE]);
-    let info = unsafe { &mut *data.0.as_mut_ptr().cast::<SYMBOL_INFOW>() };
+    const TRAILER_SIZE: usize = 2 * MAX_SYM_NAME as usize;
+
+    #[repr(C)]
+    struct Data {
+        symbol_infow: SYMBOL_INFOW,
+        __max_sym_name: [u8; TRAILER_SIZE],
+    }
+
+    let mut data = Aligned8(Data {
+        symbol_infow: SYMBOL_INFOW {
+            SizeOfStruct: 0,
+            TypeIndex: 0,
+            Reserved: [0, 0],
+            Index: 0,
+            Size: 0,
+            ModBase: 0,
+            Flags: 0,
+            Value: 0,
+            Address: 0,
+            Register: 0,
+            Scope: 0,
+            Tag: 0,
+            NameLen: 0,
+            MaxNameLen: 0,
+            Name: [0],
+        },
+        __max_sym_name: [0u8; TRAILER_SIZE],
+    });
+    let info = &mut data.0.symbol_infow;
     info.MaxNameLen = MAX_SYM_NAME as u32;
     // the struct size in C.  the value is different to
     // `size_of::<SYMBOL_INFOW>() - MAX_SYM_NAME + 1` (== 81)

src/symbolize/dbghelp.rs

@@ -4,7 +4,6 @@ use super::{Library, LibrarySegment};
 use alloc::borrow::ToOwned;
 use alloc::vec::Vec;
 use core::ffi::CStr;
-use core::mem;
 use object::NativeEndian;
 
 #[cfg(target_pointer_width = "64")]
@@ -38,8 +37,8 @@ pub(super) fn native_libraries() -> Vec<Library> {
     let mut libs = Vec::new();
 
     // Request the current link map from the runtime linker:
+    let mut map: *const LinkMap = core::ptr::null();
     let map = unsafe {
-        let mut map: *const LinkMap = mem::zeroed();
         if dlinfo(
             RTLD_SELF,
             RTLD_DI_LINKMAP,