1. 15

  2. 2

    When combined with the Error::downcast* family of methods this can enable safe casting of a type to the wrong type, causing security issues such as out of bounds reads/writes/etc.

    “safe casting” means “in code not using unsafe”, right? The problem is that the cast isn’t actually safe?

    1. 11

      Yes. It’s because the downcast methods on dyn Error rely on type_id to be correct in order to implement safe casting. For example, here is how downcast_ref is implemented (which in turn relies on is, which in turn relies on type_id).

      Normally, type_id is implemented for you automatically. But such default methods can be overridden by the user, which ultimately can lead to UB without invoking unsafe anywhere. Here’s an example: https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=0a7cc24ed6a5ba741aae9fdf5917f2dc

      1. 2

        If I understand correctly, yes. The key methods in play here are the Any type’s downcast_ref (and the other downcast methods) and the is method - downcast uses is (which in turn uses type_id to check if a cast is possible.