Make *::from_anything methods unsafe

djkoloski · djkoloski · commit 78b7e6f98abc · 2023-01-24T11:02:56.000-05:00
The called function must uphold some invariants about initializing data
in order for the calls to `from_anything` to be sound.
diff --git a/src/unistd.rs b/src/unistd.rs
@@ -3631,7 +3631,12 @@ impl From<User> for libc::passwd {
 
 #[cfg(not(target_os = "redox"))] // RedoxFS does not support passwd
 impl User {
-    fn from_anything<F>(f: F) -> Result<Option<Self>>
+    /// # Safety
+    ///
+    /// If `f` writes to its `*mut *mut libc::passwd` parameter, then it must
+    /// also initialize the value pointed to by its `*mut libc::group`
+    /// parameter.
+    unsafe fn from_anything<F>(f: F) -> Result<Option<Self>>
     where
         F: Fn(
             *mut libc::passwd,
@@ -3687,9 +3692,13 @@ impl User {
     /// assert_eq!(res.name, "root");
     /// ```
     pub fn from_uid(uid: Uid) -> Result<Option<Self>> {
-        User::from_anything(|pwd, cbuf, cap, res| unsafe {
-            libc::getpwuid_r(uid.0, pwd, cbuf, cap, res)
-        })
+        // SAFETY: `getpwuid_r` will write to `res` if it initializes the value
+        // at `pwd`.
+        unsafe {
+            User::from_anything(|pwd, cbuf, cap, res| {
+                libc::getpwuid_r(uid.0, pwd, cbuf, cap, res)
+            })
+        }
     }
 
     /// Get a user by name.
@@ -3710,9 +3719,13 @@ impl User {
             Ok(c_str) => c_str,
             Err(_nul_error) => return Ok(None),
         };
-        User::from_anything(|pwd, cbuf, cap, res| unsafe {
-            libc::getpwnam_r(name.as_ptr(), pwd, cbuf, cap, res)
-        })
+        // SAFETY: `getpwnam_r` will write to `res` if it initializes the value
+        // at `pwd`.
+        unsafe {
+            User::from_anything(|pwd, cbuf, cap, res| {
+                libc::getpwnam_r(name.as_ptr(), pwd, cbuf, cap, res)
+            })
+        }
     }
 }
 
@@ -3763,7 +3776,12 @@ impl Group {
         ret
     }
 
-    fn from_anything<F>(f: F) -> Result<Option<Self>>
+    /// # Safety
+    ///
+    /// If `f` writes to its `*mut *mut libc::group` parameter, then it must
+    /// also initialize the value pointed to by its `*mut libc::group`
+    /// parameter.
+    unsafe fn from_anything<F>(f: F) -> Result<Option<Self>>
     where
         F: Fn(
             *mut libc::group,
@@ -3821,9 +3839,13 @@ impl Group {
     /// assert!(res.name == "root");
     /// ```
     pub fn from_gid(gid: Gid) -> Result<Option<Self>> {
-        Group::from_anything(|grp, cbuf, cap, res| unsafe {
-            libc::getgrgid_r(gid.0, grp, cbuf, cap, res)
-        })
+        // SAFETY: `getgrgid_r` will write to `res` if it initializes the value
+        // at `grp`.
+        unsafe {
+            Group::from_anything(|grp, cbuf, cap, res| {
+                libc::getgrgid_r(gid.0, grp, cbuf, cap, res)
+            })
+        }
     }
 
     /// Get a group by name.
@@ -3846,9 +3868,13 @@ impl Group {
             Ok(c_str) => c_str,
             Err(_nul_error) => return Ok(None),
         };
-        Group::from_anything(|grp, cbuf, cap, res| unsafe {
-            libc::getgrnam_r(name.as_ptr(), grp, cbuf, cap, res)
-        })
+        // SAFETY: `getgrnam_r` will write to `res` if it initializes the value
+        // at `grp`.
+        unsafe {
+            Group::from_anything(|grp, cbuf, cap, res| {
+                libc::getgrnam_r(name.as_ptr(), grp, cbuf, cap, res)
+            })
+        }
     }
 }
 }
