[Unsoundness] Critical: Public API make_self allows arbitrary lifetime extension leading to Use-After-Free #77
Description
Hello,
We are working on a static analysis tool designed to detect unsoundness and safety violations in Rust projects. We discovered a critical soundness vulnerability in src/catfs/mod.rs.
Location:
The vulnerability is in the public function make_self:
pub fn make_self<T>(s: &mut T) -> &'static T {
return unsafe { ::std::mem::transmute(s) };
}
Description:
The function make_self takes a mutable reference with an arbitrary lifetime &'a mut T and transmutes it to a static reference &'static T.
This is fundamentally unsound because it allows creating a 'static reference to data that has a shorter lifetime (e.g., stack-allocated local variables). When the original data goes out of scope, the 'static reference becomes a dangling pointer. Accessing it results in immediate Use-After-Free (UAF).
While unsafe blocks allow transmute, wrapping this operation in a safe function claims that it is safe to call with any argument. This claim is false.
Consequences:
Since this crate is published on crates.io, any downstream user relying on this function assumes it is safe. This can lead to hard-to-debug memory corruption issues in production environments.