Fix soundness of FromBytes::read_from_io on 0.8.x

kupiakos · kupiakos · commit 93751fbe69fa · 2025-02-07T16:07:30.000-08:00
See google#2319. Backport of google#2320. Includes a Miri test confirming the previous unsoundness.
diff --git a/src/lib.rs b/src/lib.rs
@@ -4567,7 +4567,8 @@ pub unsafe trait FromBytes: FromZeros {
         Self: Sized,
         R: io::Read,
     {
-        let mut buf = CoreMaybeUninit::<Self>::zeroed();
+        let mut buf = CoreMaybeUninit::<Self>::uninit();
+        buf.zero();
         let ptr = Ptr::from_mut(&mut buf);
         // SAFETY: `buf` consists entirely of initialized, zeroed bytes.
         let ptr = unsafe { ptr.assume_validity::<invariant::Initialized>() };
@@ -6079,6 +6080,29 @@ mod tests {
         assert_eq!(bytes, want);
     }
 
+    #[test]
+    #[cfg(feature = "std")]
+    fn test_read_io_with_padding_soundness() {
+        #[derive(FromBytes)]
+        #[repr(C)]
+        struct WithPadding {
+            x: u8,
+            y: u16,
+        }
+        struct ReadsInRead;
+        impl std::io::Read for ReadsInRead {
+            fn read(&mut self, buf: &mut [u8]) -> std::io::Result<usize> {
+                if buf.iter().all(|&x| x == 0) {
+                    Ok(buf.len())
+                } else {
+                    buf.into_iter().for_each(|x| *x = 0);
+                    Ok(buf.len())
+                }
+            }
+        }
+        assert!(matches!(WithPadding::read_from_io(ReadsInRead), Ok(WithPadding { x: 0, y: 0 })));
+    }
+
     #[test]
     #[cfg(feature = "std")]
     fn test_read_write_io() {
