patina_internal_collections: Fix UB memory read in Node fields

[garybeihl]

Description

Fixes an undefined behavior issue where Cell::set() reads uninitialized memory during linked list creation in Storage::resize().

Root Cause

• Cell::set() internally uses mem::replace(), which reads the old value before writing the new one.
• When Storage::resize() allocates new nodes and calls build_linked_list(), the Cell fields contain uninitialized memory.
• Reading uninitialized memory is undefined behavior, even if immediately overwritten. Unwanted compiler "optimizations" could follow.

Impact

• Any package using patina_internal_collections.
• Potential memory corruption and non-deterministic errors
• Detected by Miri testing (issue Consider running unit tests (or a subset of them) under Miri #560)

Fix

• Initialize all Cell fields using ptr::write() before build_linked_list()
• Use addr_of_mut!() to read field pointers without creating references to uninitialized data

Introduced by

• PR Replace AtomicPtr with Cell in patina_internal_collections. #1050 (Nov 13, 2025) Replace AtomicPtr with Cell in patina_internal_collections
• AtomicPtr::store() writes without reading the old value, but Cell::set() uses mem::replace() which reads before writing

Related to #560

• Impacts functionality?
• Impacts security?
• Breaking change?
• Includes tests?
• Includes documentation?

How This Was Tested

• Tested with: cargo +nightly-2025-09-19 miri test -p patina_dxe_core.
• 7 tests now pass (previously 0/469 due to this UB issue).

Integration Instructions

N/A

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Javagedes]

Hi @garybeihl , I noticed you've been keeping this PR up to date, but not working on it (which is completely fine).

I just wanted to make sure you were not waiting on additional information from any of us that have commented on this PR (i.e. make sure we are not blocking you in any way)!

[garybeihl]

No - not blocked - I uploaded a version of the changes that uses MaybeUninit and D: Default - just waiting for further comments or change requests. If you could have a look when you get a chance, that would be great - thanks!

[garybeihl]

Is there anything more for me to do here? If not, can I get another approval?

[makubacki]

@Javagedes & @joschock should have a final review as well.

[patina-automation]

✅ QEMU Validation Passed

All QEMU validation jobs completed successfully.

Note: Windows Q35 is only built (QEMU boot is disabled due to QEMU vfat issue).

Workflow run: https://github.com/OpenDevicePartnership/patina/actions/runs/22733280504

Boot Time to EFI Shell

Platform	Elapsed
Linux Q35	34.9s
Linux SBSA	41.9s

This comment was automatically generated by the Patina QEMU PR Validation Post workflow.

[garybeihl]

Ping - please review so I can close this and move on to other Miri-found issues. Thanks!

[makubacki]

Approving latest

[makubacki]

Does this need to go through MaybeUnit<Node<D>> too?

[garybeihl]

Good catch — yes, expand() has the same problem. It creates a &mut [Node<D>] from raw bytes without going through MaybeUninit, which is UB for the same reason. I'll update it to use MaybeUninit<Node<D>> as well.

[makubacki]

Does this still need to be pub with functions like pub unsafe fn data() and pub unsafe fn data_mut() having been added? Or could it at least be pub(crate)?

[garybeihl]

You're right — nothing outside the crate accesses the field directly; all external access goes through the data() and data_mut() accessors. I'll change it to pub(crate).

[makubacki]

Is for i in 0..self.capacity() supposed to be for i in 0..self.len()? That's what the safety comment seems to indicate below.

[makubacki]

We're generally trying to provide safety comments more granularly (even for tests) to avoid needed to apply this at the module level.