Expand description
A 100% memory-safe segmentation fault.
We use this hole to create a 'static reference to a dropped (yes, dropped) Box<Box<u8>>.
The smart pointer exists on the stack, but was dropped, so the reference is borrowing arbitrary data on the stack. We can then fill the stack with zeros, which replaces the smart pointer’s address with zero, creating a null reference in safe Rust.
By accessing the contents of the pointer, we force Rust to dereference the null pointer, causing a segfault.
Note: In theory this should work with a normal box, but in practice Rust reads random memory instead of segfaulting on a null pointer. We think this is due to compiler optimisations.
Functions§
- Segfaults the program.