Unsound `from` with misaligned pointer dereference

[shinmao]

The source of unsoundness

hash-rs/src/sha1/mod.rs

Lines 12 to 17 in 96f5aa4

	let ptr = p.as_mut_ptr() as *mut u64;
	let word = u64::to_be(m.len() as u64 * 8 as u64);
	unsafe {
	let p = (p.len()/8 - 1) as isize;
	*ptr.offset(p) = word;
	}

In line 12, the code tried to cast the raw pointer with 1-byte-alignment to the raw pointer with 8-byte-alignment, and this would create a misaligned pointer. In line 16, the code deref the misaligned pointer which is unsound. Similar unsoundness happened in following two places.

hash-rs/src/sha1/mod.rs

Lines 29 to 35 in 96f5aa4

	let output_ptr = digest.as_mut_ptr() as *mut u32;
	for i in 0..state.len() {
	let word = u32::to_be(state[i] as u32);
	unsafe {
	*output_ptr.offset(i as isize) = word;
	}
	}

line 29: create misaligned pointer, line 33: dereference

hash-rs/src/sha3/mod.rs

Lines 32 to 38 in 96f5aa4

	let output_ptr = digest.as_mut_ptr() as *mut u64;
	for i in 0..(OUTPUT_LEN / 8) {
	let word = u64::to_le(state[i]);
	unsafe {
	*output_ptr.offset(i as isize) = word;
	}
	}

line 32: create misaligned pointer, line 36: dereference

To reproduce the bug

use hash;

fn main() {
    let input = "hello";
    let digest = hash::Digest::sha1(&input.as_bytes());
    println!("{:?}", digest);
}

run with Miri

error: Undefined Behavior: accessing memory with alignment 1, but alignment 8 is required
  --> /{personal path}hash-rs-0.0.2/src/sha1/mod.rs:16:9
   |
16 |         *ptr.offset(p) = word;
   |         ^^^^^^^^^^^^^^^^^^^^^ accessing memory with alignment 1, but alignment 8 is required
   |

Undefined behavior should not happen with safe Rust function.

[shinmao]

After scanning the crate with our tool, we found that xor_with could also have unsound implementation.

hash-rs/src/sha3/mod.rs

Lines 93 to 100 in 96f5aa4

	fn xor_with(&mut self, s: Vec<u8>) -> &mut Self {
	debug_assert_eq!(s.len() % 8, 0);
	for i in 0..(72 >> 3) {
	self[i] ^= unsafe {
	let ptr = s.as_ptr() as *const u64;
	*(ptr.offset(i as isize))
	};
	}

At line 97, it casted type aligned at u8 to u64, and this would create a misaligned pointer ptr. Next, the code derefed the pointer to ptr.offset which was still misaligned.