WIP PROOF-OF-CONCEPT fixup linux libs

Gankra · Gankra · commit 81f77d3d7d33 · 2022-03-22T21:29:38.000-04:00
diff --git a/library/panic_unwind/src/gcc.rs b/library/panic_unwind/src/gcc.rs
@@ -36,6 +36,13 @@
 //! Once stack has been unwound down to the handler frame level, unwinding stops
 //! and the last personality routine transfers control to the catch block.
 
+// FIXME(strict_provenance_magic): the unwinder has special permissions and semantics.
+//
+// This is at worst an Interesting Case Study that is worth doing a deep dive on.
+//
+// I haven't looked closely at this implementation yet.
+#![cfg_attr(not(bootstrap), allow(fuzzy_provenance_casts))]
+
 use alloc::boxed::Box;
 use core::any::Any;
 
diff --git a/library/std/src/backtrace.rs b/library/std/src/backtrace.rs
@@ -493,7 +493,7 @@ impl RawFrame {
         match self {
             RawFrame::Actual(frame) => frame.ip(),
             #[cfg(test)]
-            RawFrame::Fake => ptr::invalid_mut(1),
+            RawFrame::Fake => crate::ptr::invalid_mut(1),
         }
     }
 }
diff --git a/library/std/src/os/unix/net/addr.rs b/library/std/src/os/unix/net/addr.rs
@@ -17,8 +17,8 @@ mod libc {
 
 fn sun_path_offset(addr: &libc::sockaddr_un) -> usize {
     // Work with an actual instance of the type since using a null pointer is UB
-    let base = addr as *const _ as usize;
-    let path = &addr.sun_path as *const _ as usize;
+    let base = (addr as *const libc::sockaddr_un).addr();
+    let path = (&addr.sun_path as *const i8).addr();
     path - base
 }
 
diff --git a/library/std/src/sys/unix/memchr.rs b/library/std/src/sys/unix/memchr.rs
@@ -9,7 +9,7 @@ pub fn memchr(needle: u8, haystack: &[u8]) -> Option<usize> {
             haystack.len(),
         )
     };
-    if p.is_null() { None } else { Some(p as usize - (haystack.as_ptr() as usize)) }
+    if p.is_null() { None } else { Some(p.addr() - haystack.as_ptr().addr()) }
 }
 
 pub fn memrchr(needle: u8, haystack: &[u8]) -> Option<usize> {
@@ -26,7 +26,7 @@ pub fn memrchr(needle: u8, haystack: &[u8]) -> Option<usize> {
                 haystack.len(),
             )
         };
-        if p.is_null() { None } else { Some(p as usize - (haystack.as_ptr() as usize)) }
+        if p.is_null() { None } else { Some(p.addr() - haystack.as_ptr().addr()) }
     }
 
     #[cfg(not(target_os = "linux"))]
diff --git a/library/std/src/sys/unix/process/process_unix.rs b/library/std/src/sys/unix/process/process_unix.rs
@@ -1,3 +1,6 @@
+// FIXME(strict_provenance_magic): system API wants us to pass a pointer as a u64 :(
+#![cfg_attr(not(bootstrap), allow(fuzzy_provenance_casts))]
+
 use crate::convert::{TryFrom, TryInto};
 use crate::fmt;
 use crate::io::{self, Error, ErrorKind};
diff --git a/library/std/src/sys/unix/stack_overflow.rs b/library/std/src/sys/unix/stack_overflow.rs
@@ -1,3 +1,5 @@
+// FIXME(strict_provenance_magic): system API wants us to pass a pointer as size_t :(
+#![cfg_attr(not(bootstrap), allow(fuzzy_provenance_casts))]
 #![cfg_attr(test, allow(dead_code))]
 
 use self::imp::{drop_handler, make_handler};
@@ -62,12 +64,12 @@ mod imp {
             si_addr: *mut libc::c_void,
         }
 
-        (*(info as *const siginfo_t)).si_addr as usize
+        (*(info as *const siginfo_t)).si_addr.addr()
     }
 
     #[cfg(not(any(target_os = "linux", target_os = "android")))]
     unsafe fn siginfo_si_addr(info: *mut libc::siginfo_t) -> usize {
-        (*info).si_addr as usize
+        (*info).si_addr.addr()
     }
 
     // Signal handler for the SIGSEGV and SIGBUS handlers. We've got guard pages
diff --git a/library/std/src/sys/unix/thread.rs b/library/std/src/sys/unix/thread.rs
@@ -1,3 +1,6 @@
+// FIXME(strict_provenance_magic): system API wants us to pass a pointer as ulong :(
+#![cfg_attr(not(bootstrap), allow(fuzzy_provenance_casts))]
+
 use crate::cmp;
 use crate::ffi::CStr;
 use crate::io;
@@ -505,24 +508,24 @@ pub mod guard {
     #[cfg(target_os = "macos")]
     unsafe fn get_stack_start() -> Option<*mut libc::c_void> {
         let th = libc::pthread_self();
-        let stackaddr =
-            libc::pthread_get_stackaddr_np(th) as usize - libc::pthread_get_stacksize_np(th);
-        Some(stackaddr as *mut libc::c_void)
+        let stackptr = libc::pthread_get_stackaddr_np(th);
+        Some(stackptr.with_addr(stackptr.with_addr() - libc::pthread_get_stacksize_np(th)))
     }
 
     #[cfg(target_os = "openbsd")]
     unsafe fn get_stack_start() -> Option<*mut libc::c_void> {
         let mut current_stack: libc::stack_t = crate::mem::zeroed();
         assert_eq!(libc::pthread_stackseg_np(libc::pthread_self(), &mut current_stack), 0);
 
+        let stack_ptr = current_stack.ss_sp;
         let stackaddr = if libc::pthread_main_np() == 1 {
             // main thread
-            current_stack.ss_sp as usize - current_stack.ss_size + PAGE_SIZE.load(Ordering::Relaxed)
+            stack_ptr.addr() - current_stack.ss_size + PAGE_SIZE.load(Ordering::Relaxed)
         } else {
             // new thread
-            current_stack.ss_sp as usize - current_stack.ss_size
+            stack_ptr.addr() - current_stack.ss_size
         };
-        Some(stackaddr as *mut libc::c_void)
+        Some(stack_ptr.with_addr(stack_addr))
     }
 
     #[cfg(any(
@@ -557,19 +560,20 @@ pub mod guard {
     unsafe fn get_stack_start_aligned() -> Option<*mut libc::c_void> {
         let page_size = PAGE_SIZE.load(Ordering::Relaxed);
         assert!(page_size != 0);
-        let stackaddr = get_stack_start()?;
+        let stackptr = get_stack_start()?;
+        let stackaddr = stackptr.addr();
 
         // Ensure stackaddr is page aligned! A parent process might
         // have reset RLIMIT_STACK to be non-page aligned. The
         // pthread_attr_getstack() reports the usable stack area
         // stackaddr < stackaddr + stacksize, so if stackaddr is not
         // page-aligned, calculate the fix such that stackaddr <
         // new_page_aligned_stackaddr < stackaddr + stacksize
-        let remainder = (stackaddr as usize) % page_size;
+        let remainder = (stackaddr) % page_size;
         Some(if remainder == 0 {
-            stackaddr
+            stackptr
         } else {
-            ((stackaddr as usize) + page_size - remainder) as *mut libc::c_void
+            stackptr.with_addr(stackaddr + page_size - remainder)
         })
     }
 
@@ -588,8 +592,8 @@ pub mod guard {
             // Instead, we'll just note where we expect rlimit to start
             // faulting, so our handler can report "stack overflow", and
             // trust that the kernel's own stack guard will work.
-            let stackaddr = get_stack_start_aligned()?;
-            let stackaddr = stackaddr as usize;
+            let stackptr = get_stack_start_aligned()?;
+            let stackaddr = stackptr.addr();
             Some(stackaddr - page_size..stackaddr)
         } else if cfg!(all(target_os = "linux", target_env = "musl")) {
             // For the main thread, the musl's pthread_attr_getstack
@@ -602,8 +606,8 @@ pub mod guard {
             // at the bottom.  If we try to remap the bottom of the stack
             // ourselves, FreeBSD's guard page moves upwards.  So we'll just use
             // the builtin guard page.
-            let stackaddr = get_stack_start_aligned()?;
-            let guardaddr = stackaddr as usize;
+            let stackptr = get_stack_start_aligned()?;
+            let guardaddr = stackptr.addr();
             // Technically the number of guard pages is tunable and controlled
             // by the security.bsd.stack_guard_page sysctl, but there are
             // few reasons to change it from the default.  The default value has
@@ -620,33 +624,34 @@ pub mod guard {
             // than the initial mmap() used, so we mmap() here with
             // read/write permissions and only then mprotect() it to
             // no permissions at all. See issue #50313.
-            let stackaddr = get_stack_start_aligned()?;
+            let stackptr = get_stack_start_aligned()?;
             let result = mmap(
-                stackaddr,
+                stackptr,
                 page_size,
                 PROT_READ | PROT_WRITE,
                 MAP_PRIVATE | MAP_ANON | MAP_FIXED,
                 -1,
                 0,
             );
-            if result != stackaddr || result == MAP_FAILED {
+            if result != stackptr || result == MAP_FAILED {
                 panic!("failed to allocate a guard page: {}", io::Error::last_os_error());
             }
 
-            let result = mprotect(stackaddr, page_size, PROT_NONE);
+            let result = mprotect(stackptr, page_size, PROT_NONE);
             if result != 0 {
                 panic!("failed to protect the guard page: {}", io::Error::last_os_error());
             }
 
-            let guardaddr = stackaddr as usize;
+            let guardaddr = stackptr.addr();
 
             Some(guardaddr..guardaddr + page_size)
         }
     }
 
     #[cfg(any(target_os = "macos", target_os = "openbsd", target_os = "solaris"))]
     pub unsafe fn current() -> Option<Guard> {
-        let stackaddr = get_stack_start()? as usize;
+        let stackptr = get_stack_start()?;
+        let stackaddr = stackptr.addr();
         Some(stackaddr - PAGE_SIZE.load(Ordering::Relaxed)..stackaddr)
     }
 
@@ -679,11 +684,11 @@ pub mod guard {
                     panic!("there is no guard page");
                 }
             }
-            let mut stackaddr = crate::ptr::null_mut();
+            let mut stackptr = crate::ptr::null_mut::<libc::c_void>();
             let mut size = 0;
-            assert_eq!(libc::pthread_attr_getstack(&attr, &mut stackaddr, &mut size), 0);
+            assert_eq!(libc::pthread_attr_getstack(&attr, &mut stackptr, &mut size), 0);
 
-            let stackaddr = stackaddr as usize;
+            let stackaddr = stackptr.addr();
             ret = if cfg!(any(target_os = "freebsd", target_os = "netbsd")) {
                 Some(stackaddr - guardsize..stackaddr)
             } else if cfg!(all(target_os = "linux", target_env = "musl")) {
diff --git a/library/std/src/sys/unix/weak.rs b/library/std/src/sys/unix/weak.rs
@@ -22,10 +22,11 @@
 // that, we'll just allow that some unix targets don't use this module at all.
 #![allow(dead_code, unused_macros)]
 
-use crate::ffi::CStr;
+use crate::ffi::{c_void, CStr};
 use crate::marker::PhantomData;
 use crate::mem;
-use crate::sync::atomic::{self, AtomicUsize, Ordering};
+use crate::ptr;
+use crate::sync::atomic::{self, AtomicPtr, Ordering};
 
 // We can use true weak linkage on ELF targets.
 #[cfg(not(any(target_os = "macos", target_os = "ios")))]
@@ -83,25 +84,26 @@ pub(crate) macro dlsym {
 }
 pub(crate) struct DlsymWeak<F> {
     name: &'static str,
-    addr: AtomicUsize,
+    addr: AtomicPtr<c_void>,
     _marker: PhantomData<F>,
 }
 
 impl<F> DlsymWeak<F> {
     pub(crate) const fn new(name: &'static str) -> Self {
-        DlsymWeak { name, addr: AtomicUsize::new(1), _marker: PhantomData }
+        DlsymWeak { name, addr: AtomicPtr::new(ptr::invalid_mut(1)), _marker: PhantomData }
     }
 
     #[inline]
     pub(crate) fn get(&self) -> Option<F> {
         unsafe {
             // Relaxed is fine here because we fence before reading through the
             // pointer (see the comment below).
-            match self.addr.load(Ordering::Relaxed) {
+            let fn_ptr = self.addr.load(Ordering::Relaxed);
+            match fn_ptr.addr() {
                 1 => self.initialize(),
                 0 => None,
-                addr => {
-                    let func = mem::transmute_copy::<usize, F>(&addr);
+                _ => {
+                    let func = mem::transmute_copy::<*mut c_void, F>(&fn_ptr);
                     // The caller is presumably going to read through this value
                     // (by calling the function we've dlsymed). This means we'd
                     // need to have loaded it with at least C11's consume
@@ -129,25 +131,25 @@ impl<F> DlsymWeak<F> {
     // Cold because it should only happen during first-time initialization.
     #[cold]
     unsafe fn initialize(&self) -> Option<F> {
-        assert_eq!(mem::size_of::<F>(), mem::size_of::<usize>());
+        assert_eq!(mem::size_of::<F>(), mem::size_of::<*mut ()>());
 
         let val = fetch(self.name);
         // This synchronizes with the acquire fence in `get`.
         self.addr.store(val, Ordering::Release);
 
-        match val {
+        match val.addr() {
             0 => None,
-            addr => Some(mem::transmute_copy::<usize, F>(&addr)),
+            _ => Some(mem::transmute_copy::<*mut c_void, F>(&val)),
         }
     }
 }
 
-unsafe fn fetch(name: &str) -> usize {
+unsafe fn fetch(name: &str) -> *mut c_void {
     let name = match CStr::from_bytes_with_nul(name.as_bytes()) {
         Ok(cstr) => cstr,
-        Err(..) => return 0,
+        Err(..) => return ptr::null_mut(),
     };
-    libc::dlsym(libc::RTLD_DEFAULT, name.as_ptr()) as usize
+    libc::dlsym(libc::RTLD_DEFAULT, name.as_ptr())
 }
 
 #[cfg(not(any(target_os = "linux", target_os = "android")))]

Original file line number	Diff line number	Diff line change
`@@ -493,7 +493,7 @@ impl RawFrame {`
`493`	`493`	`match self {`
`494`	`494`	`RawFrame::Actual(frame) => frame.ip(),`
`495`	`495`	`#[cfg(test)]`
`496`		`- RawFrame::Fake => ptr::invalid_mut(1),`
	`496`	`+ RawFrame::Fake => crate::ptr::invalid_mut(1),`
`497`	`497`	`}`
`498`	`498`	`}`
`499`	`499`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,8 +17,8 @@ mod libc {`
`17`	`17`
`18`	`18`	`fn sun_path_offset(addr: &libc::sockaddr_un) -> usize {`
`19`	`19`	`// Work with an actual instance of the type since using a null pointer is UB`
`20`		`- let base = addr as *const _ as usize;`
`21`		`- let path = &addr.sun_path as *const _ as usize;`
	`20`	`+ let base = (addr as *const libc::sockaddr_un).addr();`
	`21`	`+ let path = (&addr.sun_path as *const i8).addr();`
`22`	`22`	`path - base`
`23`	`23`	`}`
`24`	`24`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ pub fn memchr(needle: u8, haystack: &[u8]) -> Option<usize> {`
`9`	`9`	`haystack.len(),`
`10`	`10`	`)`
`11`	`11`	`};`
`12`		`- if p.is_null() { None } else { Some(p as usize - (haystack.as_ptr() as usize)) }`
	`12`	`+ if p.is_null() { None } else { Some(p.addr() - haystack.as_ptr().addr()) }`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`pub fn memrchr(needle: u8, haystack: &[u8]) -> Option<usize> {`
`@@ -26,7 +26,7 @@ pub fn memrchr(needle: u8, haystack: &[u8]) -> Option<usize> {`
`26`	`26`	`haystack.len(),`
`27`	`27`	`)`
`28`	`28`	`};`
`29`		`- if p.is_null() { None } else { Some(p as usize - (haystack.as_ptr() as usize)) }`
	`29`	`+ if p.is_null() { None } else { Some(p.addr() - haystack.as_ptr().addr()) }`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`#[cfg(not(target_os = "linux"))]`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+// FIXME(strict_provenance_magic): system API wants us to pass a pointer as size_t :(`
	`2`	`+#![cfg_attr(not(bootstrap), allow(fuzzy_provenance_casts))]`
`1`	`3`	`#![cfg_attr(test, allow(dead_code))]`
`2`	`4`
`3`	`5`	`use self::imp::{drop_handler, make_handler};`
`@@ -62,12 +64,12 @@ mod imp {`
`62`	`64`	`si_addr: *mut libc::c_void,`
`63`	`65`	`}`
`64`	`66`
`65`		`- ((info as const siginfo_t)).si_addr as usize`
	`67`	`+ ((info as const siginfo_t)).si_addr.addr()`
`66`	`68`	`}`
`67`	`69`
`68`	`70`	`#[cfg(not(any(target_os = "linux", target_os = "android")))]`
`69`	`71`	`unsafe fn siginfo_si_addr(info: *mut libc::siginfo_t) -> usize {`
`70`		`- (*info).si_addr as usize`
	`72`	`+ (*info).si_addr.addr()`
`71`	`73`	`}`
`72`	`74`
`73`	`75`	`// Signal handler for the SIGSEGV and SIGBUS handlers. We've got guard pages`