Passing an uninitialized buffer to generic Read
implementation is one of the most common soundness bugs in the Rust ecosystem (e.g., RUSTSEC-2021-0015, RUSTSEC-2021-0029, gfx#3567). Unfortunately, initializing the buffer often leads to performance degradation, and there is currently no way to use generic Read
without initialization cost in stable Rust.
RFC 2930 provides a solution to this issue. It adds ReadBuf
type and related APIs to Read
trait, which allows safe management of uninitialized buffer. This RFC has been merged, but there is no implementation available yet.
What I would like to suggest is to prioritize, implement, and advertise RFC 2930 as part of edition 2021. Technically ReadBuf
is not a breaking change, but as noted in the RFC, ReadBuf
introduces nontrivial amount of complexity to one of the standard library's core traits. Thus, advertising it as a change introduced in a new edition will help people learn and adopt new APIs, because people are more willing to accept larger changes at the edition boundary.
Additionally, raising the awareness of ReadBuf
would help resolve longstanding misconception about uninitialized buffers in Rust. Although incorrect use of an uninitialized buffer can lead to observable memory safety errors (#1, #2), the impact of using an uninitialized buffer is often overlooked. I've seen several soundness bugs that follow the similar pattern of uninitialized read()
(e.g., RUSTSEC-2020-0123, glium#1907, claxon#26). When implemented, ReadBuf
could be a solid example that explains an uninitialized buffer cannot be passed to an API that is not expecting it, which I believe helps prevent the occurrence of similar soundness bugs in the future.