Skip to content

UPSTREAM PR #26984: rust/upb: harden extension mut lifetimes#150

Open
loci-dev wants to merge 4 commits into
mainfrom
loci/pr-26984-arena-lifetime-hardening
Open

UPSTREAM PR #26984: rust/upb: harden extension mut lifetimes#150
loci-dev wants to merge 4 commits into
mainfrom
loci/pr-26984-arena-lifetime-hardening

Conversation

@loci-dev
Copy link
Copy Markdown

@loci-dev loci-dev commented Apr 20, 2026

Note

Source pull request: protocolbuffers/protobuf#26984

Problem

rust/upb_kernel/extension.rs used explicit lifetime extension at the Rust/C arena boundary:

let arena_ref: &'msg Arena = std::mem::transmute(msg.get_arena(Private));

This appeared in mutable extension paths and depended on a manual safety contract instead of structural lifetime propagation.

Why This Matters

This is a secure-by-design hardening change for latent lifetime unsoundness risk at an FFI ownership boundary.

  • The previous pattern relied on non-local invariants and reviewer discipline.
  • Plausible refactors could keep code compiling while weakening arena/lifetime coupling.
  • Removing explicit lifetime transmute from these paths reduces the chance of silent UAF-style regressions.

What This PR Changes

  1. Removes explicit lifetime transmute in extension mutable access.
  • rust/upb_kernel/extension.rs
  • Extension mutation now gets pointer + arena through typed internals, not transmute(msg.get_arena(...)).
  1. Threads 'msg lifetime structurally through message mut internals.
  • rust/upb_kernel/message.rs
  • rust/codegen_traits.rs
  • src/google/protobuf/compiler/rust/message.cc
  • Adds/generates MessageMut::as_message_mut_inner(...) -> MessageMutInner<'msg, _> plumbing.
  1. Adds targeted regression coverage for extension mutation paths.
  • rust/test/upb/extension_runtime_smoke_test.rs
  • rust/test/upb/extension_lifetime_regression_test.rs
  • rust/test/upb/BUILD
  1. Fixes smoke-test field-type constant correctness.
  • rust/test/upb/extension_runtime_smoke_test.rs
  • Uses FieldType_String = 9 (instead of 10, which is Group) when encoding the repeated string extension mini descriptor.

Scope / Non-Goals

  • This PR does not claim a currently weaponized exploit on upstream HEAD.
  • Scope is risk reduction: remove explicit unsafe lifetime bypasses in extension mutable paths and add targeted regression coverage.

@loci-review
Copy link
Copy Markdown

loci-review Bot commented Apr 20, 2026

No meaningful performance changes were detected across 10159 analyzed functions in the following binaries: build.protoc-stable.

💬 Questions? Tag @loci-dev

@loci-dev loci-dev force-pushed the main branch 25 times, most recently from d27e9b1 to cffafda Compare April 23, 2026 18:48
@loci-dev loci-dev force-pushed the main branch 8 times, most recently from ec8c960 to e3c8630 Compare April 27, 2026 07:22
@loci-review
Copy link
Copy Markdown

loci-review Bot commented Apr 27, 2026

No meaningful performance changes were detected across 10164 analyzed functions in the following binaries: build.protoc-stable.

💬 Questions? Tag @loci-dev

@loci-dev loci-dev force-pushed the main branch 6 times, most recently from f292971 to 1fdfb93 Compare April 29, 2026 07:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loci-dev @Yenya030