Incoherent (?) Lifetime HRTB on associated type results in unsoundness in stable, safe code

[maxdexh]

This code results in undefined behavior in safe code.

use std::any::Any;

// `for<'a> Producer<&'a T>` is equivalent to the (non-existent) `for<'a> FnOnce() -> &'a T`
pub trait Producer<T>: FnOnce() -> T {}
impl<T, F: FnOnce() -> T> Producer<T> for F {}

// What does `P::Output` even mean in this context? If this was `FnOnce(&()) -> &T`, using `Output`
// would result in "Cannot use the assiciated type of a trait with uninferred generic parameters",
// even when hiding behind an extra trait
fn write_incoherent_p2<T, P: for<'a> Producer<&'a T>>(
    weird: P::Output,
    out: &mut &'static dyn Any,
) {
    // `T` is not even `'static`, but `P::Output` seems to kind of 
    // resemble `for<'a> &'a T` (if that even means anything)
    *out = weird;
}

fn write_incoherent_p1<T, P: for<'a> Producer<&'a T>>(p: P, out: &mut &'static dyn Any) {
    // Producing and writing p() in one function doesn't work. Doing so requires T: 'static.
    // Adding T: 'static to all functions also makes this not work.
    // This fragility is why every line is its own function. 
    write_incoherent_p2::<T, P>(p(), out)
}

// Now we can trigger unsoundness by finding something that is `FnOnce() -> &'a T` for any `'a`
// `for<'a> FnOnce() -> &'a T` is basically just the signature of Box::leak
fn construct_implementor<T>(not_static: T, out: &mut &'static dyn Any) {
    write_incoherent_p1::<T, _>(|| Box::leak(Box::new(not_static)), out);
}

fn make_static_and_drop<T: 'static>(t: T) -> &'static T {
    let mut out: &'static dyn Any = &();
    construct_implementor::<&T>(&t, &mut out);
    *out.downcast_ref::<&T>().unwrap()
}

fn main() {
    println!("{:?}", make_static_and_drop(vec![vec![1]])); // use after free
}

The earliest affected version is 1.72. Many earlier versions reject construct_implementor, but most just ICE. Current nightly is also affected.

I am not entirely sure what is going on in this code; I was trying to create a function type that returns a reference of any requested lifetime (don't ask why), i.e. for<'a> Fn() -> &'a T. For some reason it works when hiding behind a blanket implementation, though it is very fragile. Taking Fn::Output of such a function type yields a type that seems to kind of resemble "for<'a> &'a T" and allows assignment to &'static dyn Any, even though T is not 'static.

[theemathas]

Slightly simplified:

use std::any::Any;

pub trait Producer<T>: FnOnce() -> T {}
impl<T, F: FnOnce() -> T> Producer<T> for F {}

fn write_incoherent_p2<T, P: for<'a> Producer<&'a T>>(weird: P::Output) -> &'static dyn Any {
    weird
}

fn write_incoherent_p1<T, P: for<'a> Producer<&'a T>>(p: P) -> &'static dyn Any {
    write_incoherent_p2::<T, P>(p())
}

fn construct_implementor<T>(not_static: T) -> &'static dyn Any {
    write_incoherent_p1::<T, _>(|| Box::leak(Box::new(not_static)))
}

fn make_static_and_drop<T: 'static>(t: T) -> &'static T {
    let out: &'static dyn Any = construct_implementor::<&T>(&t);
    *out.downcast_ref::<&T>().unwrap()
}

fn main() {
    println!("{:?}", make_static_and_drop(vec![vec![1]])); // use after free
}

@rustbot labels +I-unsound

[theemathas]

A variant(?) without Any:

type Target = Vec<Vec<i32>>;  // The type of the value we want to use after free

trait IsRefTarget {
    fn convert<'a>(self) -> &'a Target where Self: 'a;
}
impl IsRefTarget for &'_ Target {
    fn convert<'a>(self) -> &'a Target where Self: 'a {
        self
    }
}

trait Get {
    fn get<'a>(&mut self) -> &'a Target where Self: 'a;
}
impl<T: IsRefTarget> Get for Option<T> {
    fn get<'a>(&mut self) -> &'a Target where Self: 'a {
        self.take().unwrap().convert()
    }
}

pub trait Producer<T>: FnOnce() -> T {}
impl<T, F: FnOnce() -> T> Producer<T> for F {}

fn write_incoherent_p2<T: IsRefTarget, P: for<'a> Producer<&'a mut Option<T>>>(weird: P::Output) -> &'static mut dyn Get {
    weird
}

fn write_incoherent_p1<'b, P: for<'a> Producer<&'a mut Option<&'b Target>>>(p: P) -> &'static mut dyn Get {
    write_incoherent_p2::<&'b Target, P>(p())
}

fn make_static_and_drop(t: Target) -> &'static Target {
    let out: &'static mut dyn Get = write_incoherent_p1(|| Box::leak(Box::new(Some(&t))));
    out.get()
}

fn main() {
    println!("{:?}", make_static_and_drop(vec![vec![1]])); // use after free
}

[theemathas]

Seems related to #84533

[maxdexh]

Can someone get this to work with a custom function trait instead of Fn*? I'd be curious about how this looks with an explicit impl instead of whatever is going on here, but I can't get it to work.

I tried this

pub trait ProducerFn {
    type Output;
    fn produce(self) -> Self::Output;
}
impl<T, F: FnOnce() -> T> ProducerFn for F {
    type Output = F::Output;
    fn produce(self) -> Self::Output {
        self()
    }
}
impl<T, F: ProducerFn<Output = T>> Producer<T> for F {}
fn write_incoherent_p1<T, P: for<'a> Producer<&'a T>>(p: P) -> &'static dyn Any {
  // Other functions as in https://github.com/rust-lang/rust/issues/141713#issuecomment-2918224298
}
fn construct_implementor<T>(not_static: T) -> &'static dyn Any {
    fn leak<'a, T>(m: T) -> &'a T {
        Box::leak(Box::new(m))
    }
    // ERROR: Expected `&_`, got `&'a _`
    write_incoherent_p1::<T, _>(|| leak(not_static))
}

but it doesnt work. I think the extra step of going from FnOnce to ProducerFn somehow forces it to chose a concrete lifetime?

[lcnr]

Fun ✨

trait WriteWhereClause<T>: FnOnce() -> T {}
impl<F: FnOnce() -> T, T> WriteWhereClause<T> for F {}
fn takes_any_requires_static<F>(_: F, any_lt: F::Output) -> &'static str
where
    //     Where-clause rejected by HIR lowering. This must not be soundness-critical,
    //     as elaboration can give us the exact same where-clause regardless. It should
    //     simply not be possible to prove it.
    // F: for<'a> FnOnce() -> &'a String,
    //     Elaborating the below where-clause does work. This is #136547.
    F: for<'a> WriteWhereClause<&'a str>,
{
    any_lt
}

fn dangle() -> &'static str {
    let temp = String::from("temporary");
    takes_any_requires_static(|| "whatever", temp.as_str())
}

fn main() {
    println!("{:?}", dangle());
}

The type of || "whatever" is Closure<for<'b> fn() -> &'b str>. Its builtin impl is not well-formed as the impl signature does not constrain 'a.

impl<'a, T> FnOnce<()> for Closure<for<'b> fn() -> &'b str> {
     type Output = &'a T;
}

---

• This is an exploit of associated types have to be fully constrained lcnr/random-rust-snippets#12, which I previously only considered to be a limitation of future language extensions
• It's related to 'static closures/FnDefs/futures with non-'static return type are unsound #84366 and will likely be fixed in the same way
• It would be interesting to see whether this can be exploited if we were to fix super trait bounds can result in unconstrained regions #136547. Because if not, we may be able to instead warn on (shallow) FnOnce super-trait bounds which would be considered to be unconstraining by themselves