this post was submitted on 17 Dec 2025
179 points (98.4% liked)

Technology

77790 readers
2493 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
179
Linux Kernel Rust Code Sees Its First CVE Vulnerability (www.phoronix.com)
submitted 1 day ago* (last edited 1 day ago) by hal_5700X@sh.itjust.works to c/technology@lemmy.world
49 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] ryannathans@aussie.zone 14 points 1 day ago (5 children)

What's the point of rewriting parts of the kernel in unsafe rust?

[–] Technus@lemmy.zip 80 points 1 day ago (2 children)

Because Rust lets you choose when something is unsafe vs writing all unsafe in code all the time:

Note the other 159 kernel CVEs issued today for fixes in the C portion of the codebase

[–] isVeryLoud@lemmy.ca 3 points 23 hours ago (1 children)

I wonder if this can be adjusted for LoC count in each language

[–] victorz@lemmy.world 7 points 20 hours ago (1 children)

Not sure if that's a fair metric yet.

[–] isVeryLoud@lemmy.ca 4 points 19 hours ago (1 children)

It's not, I have no better idea

[–] nsfw936421@lemmynsfw.com 3 points 11 hours ago

Maybe only counting new/edited LoC in that language. But also probably not completely fair.

[–] ryannathans@aussie.zone 5 points 1 day ago (1 children)

Yes same concept as other languages like C#

[–] Technus@lemmy.zip 7 points 1 day ago (2 children)

You go ahead and write an OS kernel in C# then.

[–] ryannathans@aussie.zone 9 points 1 day ago (1 children)

Why the hell would you do that

[–] Technus@lemmy.zip 4 points 20 hours ago (1 children)

Why would you bring up C# in a thread about kernel programming?

[–] ryannathans@aussie.zone 2 points 19 hours ago* (last edited 19 hours ago) (2 children)

Talking about how unsafe is not some new fancy rust feature and exists in other languages. Your comment makes it sound like the choice is some new wild computing concept.

[–] Hawk@lemmynsfw.com 2 points 15 hours ago

Memory safe languages that are not garbage collected are not all that common. Ada and Rust are two examples.

With great care C++ and zig can be.

I'm sure there's a good reason a lot of the big players and the community at large have picked up rust though. Docs, error messages, cargo community etc.

I would argue that Rust does bring a lot to the table. I certainly would never code in C for work but I'll happily reach for Rust.

[–] AI_toothbrush@lemmy.zip 1 points 19 hours ago (1 children)

Bruh do you actually not get it. The point of rust is that its memory safe(with a huge grain of salt in the case of low level programming) and is a language you can write kernels in. Youre not gonna write a kernel in C# so it doesnt really matter for a discussion about kernels.

[–] ryannathans@aussie.zone 2 points 19 hours ago (1 children)

I think you are lost, nobody is saying use C# for an OS kernel.

[–] boonhet@sopuli.xyz 5 points 1 day ago

Here, someone already wrote a bare bones one. Of course that also uses an unsafe block lol

[–] eager_eagle@lemmy.world 32 points 1 day ago

it's not like the whole driver is written in unsafe rust

[–] mech@feddit.org 18 points 1 day ago (1 children)

Mostly to attract new, younger kernel maintainers.

[–] pinball_wizard@lemmy.zip 22 points 1 day ago

That's legitimately a good reason. They can pry my C from my cold dead hands...but someday someone will have to. May as well think about what that should look like.

[–] ark3@lemmy.dbzer0.com 12 points 1 day ago

unsafe is usually used only when you need to interact with something else like low level or ffi

[–] hal_5700X@sh.itjust.works 3 points 1 day ago (1 children)

Because Rust is the popular thing in FOSS/Linux at the moment.

[–] ryannathans@aussie.zone 17 points 1 day ago (1 children)

For memory safety, which is not unsafe rust

[–] hal_5700X@sh.itjust.works 9 points 1 day ago (3 children)

You say that. But the CVE is a memory corruption bug.

[–] dgriffith@aussie.zone 48 points 1 day ago (1 children)

Which is worse?

  • Entire driver written in a non memory safe language?
  • The interface to the rest of the kernel is marked as unsafe and then the other X percent is safe from memory corruption?

Surely if X > 0 then this is still a net improvement?

[–] sik0fewl@lemmy.ca 6 points 1 day ago (1 children)

I don't know, but I found this article interesting with respect to unsafe Rust - https://lightpanda.io/blog/posts/why-we-built-lightpanda-in-zig

[–] killingspark@feddit.org 4 points 1 day ago

After writing this comment I noticed it became a bit ranty, sorry for that. Something about this article rubbed a bit in the wrong way.

The relevant section seems to be this:

Browser engines and garbage-collected runtimes are classic examples of code that fights the borrow checker. You’re constantly juggling different memory regions: per-page arenas, shared caches, temporary buffers, objects with complex interdependencies. These patterns don’t map cleanly to Rust’s ownership model. You end up either paying performance costs (using indices instead of pointers, unnecessary clones) or diving into unsafe code where raw pointer ergonomics are poor and Miri becomes your constant companion.

The first half is obviously correct, this kind of data model doesn't work well for the ownership model rust uses for its borrowchecker. I don't like the conclusion though. Rust makes you pay the performance costs necessary to make your code safe. You would need to pay similar costs in other languages if you intend on writing safe code.

Sure, if you are fine with potential memory corruption bugs, you don't need these costs, but that's not how I would want to code.

The other thing bugging me is how miri being your companion is framed as something bad. Why? Miri is one the best things about rusts unsafe code tooling. It's like valgrind, or sanitisers but better.

Now, the raw pointer ergonomics could be better, I'll give them that. But if you dive deep into what rust does with raw pointers, or rather what they are planning to do, is really really cool. Provenance and supporting cheri natively is just not possible for languages that chose the ergonomic of a raw integer over what rust does.

[–] JustAnotherKay@lemmy.world 9 points 1 day ago

They’re not calling Rust unsafe. There is a memory safe mode and a memory unsafe mode in Rust, and this was built in unsafe Rust which allowed for the memory bug to be exploited

[–] ryannathans@aussie.zone 0 points 1 day ago (1 children)

You don't understand what unsafe means

[–] sem@piefed.blahaj.zone 8 points 1 day ago* (last edited 20 hours ago) (1 children)

Rust by default will not allow you to make certain kinds of errora, which is great. But if you are doing something advanced, ~~down at the hardware level~~ [see below], you might need to disable those defaults in order to write the code you need. This is what people mean by "unsafe" -- lacking the normal memory safeguards.

With careful coding, "unsafe rust" or normal C, for that matter, can be free of bugs and safe. But if programmers make a mistake, vulnerabilities can creep in more easily in the unsafe sections.

Is that basically it?

[–] CandleTiger@programming.dev 7 points 1 day ago (1 children)

But if you are doing something advanced, down at the hardware level

This part is wrong. Otherwise yes correct.

The “unsafe” code in rust is allowed to access memory locations in ways that skip the compiler’s check and guarantee that that memory location has valid data. They programmer is on their own to ensure that.

Which as you say is just the normal state of affairs for all C code.

This is needed not because of hardware access but just because sometimes the proof that the access is safe is beyond what the compiler is able to represent.

[–] sem@piefed.blahaj.zone 1 points 21 hours ago (1 children)

Thank you for the correction, I'll edit my comment.

sometimes the proof that the access is

safe is bevond what the compiler is able to represent

Could you say a few more words about this? In what situations do you have to write 'unsafe-tagged' code blocks? Could this be changed by improvements to the compiler? Or is it necessitated by the type of task being done by the code?

[–] CandleTiger@programming.dev 2 points 15 hours ago

Check out the excellent tutorial # Learn Rust With Entirely Too Many Linked Lists especially chapters five and six. It has a lot more words, it’s entertaining, engaging, and informative.