Improve robustness of the Hermit backend

newpavlov · newpavlov · commit 594545530ff0 · 2023-11-08T09:32:18.000+03:00
diff --git a/src/error.rs b/src/error.rs
@@ -35,6 +35,8 @@ impl Error {
     pub const UNSUPPORTED: Error = internal_error(0);
     /// The platform-specific `errno` returned a non-positive value.
     pub const ERRNO_NOT_POSITIVE: Error = internal_error(1);
+    /// Encountered an unexpected situation which should not happen in practice.
+    pub const UNEXPECTED: Error = internal_error(2);
     /// Call to iOS [`SecRandomCopyBytes`](https://developer.apple.com/documentation/security/1399291-secrandomcopybytes) failed.
     pub const IOS_SEC_RANDOM: Error = internal_error(3);
     /// Call to Windows [`RtlGenRandom`](https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlgenrandom) failed.
diff --git a/src/hermit.rs b/src/hermit.rs
@@ -9,13 +9,16 @@ pub fn getrandom_inner(mut dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
     while !dest.is_empty() {
         let res = unsafe { sys_read_entropy(dest.as_mut_ptr() as *mut u8, dest.len(), 0) };
         if res < 0 {
-            // SAFETY: all Hermit error codes use i32 under the hood:
-            // https://github.com/hermitcore/libhermit-rs/blob/master/src/errno.rs
-            let code = unsafe { NonZeroU32::new_unchecked((-res) as u32) };
-            return Err(code.into());
+            let err = (-res)
+                .try_into()
+                .ok()
+                .and_then(NonZeroU32::new)
+                .map(Into::into)
+                .unwrap_or(Error::UNEXPECTED);
+            return Err(err);
         }
         let len = min(res as usize, dest.len());
-        dest = &mut dest[len..];
+        dest = dest.get_mut(len..).ok_or(Error::UNEXPECTED)?;
     }
     Ok(())
 }
diff --git a/src/util_libc.rs b/src/util_libc.rs
@@ -80,7 +80,7 @@ pub fn sys_fill_exact(
             // We don't check for EOF (ret = 0) as the data we are reading
             // should be an infinite stream of random bytes.
             let len = min(res as usize, buf.len());
-            buf = &mut buf[len..];
+            buf = buf.get_mut(len..).ok_or(Error::UNEXPECTED)?;
         }
     }
     Ok(())

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ pub fn sys_fill_exact(`
`80`	`80`	`// We don't check for EOF (ret = 0) as the data we are reading`
`81`	`81`	`// should be an infinite stream of random bytes.`
`82`	`82`	`let len = min(res as usize, buf.len());`
`83`		`- buf = &mut buf[len..];`
	`83`	`+ buf = buf.get_mut(len..).ok_or(Error::UNEXPECTED)?;`
`84`	`84`	`}`
`85`	`85`	`}`
`86`	`86`	`Ok(())`