Hi, I stumbled upon this crate, and it seems have some soundness issues.

use std::{ fs, io };


fn main() -> io::Result<()> {
    let mut ring = rio::new().expect("create uring");
    let file = fs::File::open("Cargo.toml").expect("openat");

    let completion = {
        let mut data = vec![0; 12];
        let mut in_io_slice = io::IoSliceMut::new(&mut data);
        ring.read(&file, &mut in_io_slice, 0)?
    };

    let data = vec![0x42; 12];

    ring.submit_all()?;
    completion.wait()?;

    println!("{:?}", data);

    Ok(())
}

This is a simple use-after-free poc. the kernel will write data to freed memory, which will cause a memory error.

of course. this kind of junk is going to be possible on any library that allows you to pass a IoSliceMut into this, which is why I'm building a real buffer management system that will be the basis for this, and IoSliceMut-based operation will not be possible.

what exists in this repo is very pre-alpha, as I've said in communications around it on social media. the good stuff will come when combining it with a proper registered bump allocation arena with lock-free reclamation that I'm basically just copying over from sled's current storage engine.