Fix CFI issues in <future>

eugenis · memfrob · commit 3d6e6a8ca4ac · 2022-10-04T17:13:46.000-04:00
This change fixes errors reported by Control Flow Integrity (CFI) checking when using `std::packaged_task`. The errors mostly stem from casting the underlying storage (`__buf_`) to `__base*`, even if it is uninitialized. The solution is to wrap `__base*` access to `__buf_` behind a getter marked with _LIBCPP_NO_CFI. Differential Revision: https://reviews.llvm.org/D82627
diff --git a/libcxx/include/future b/libcxx/include/future
@@ -1823,6 +1823,10 @@ template<class _Rp, class ..._ArgTypes>
 class _LIBCPP_AVAILABILITY_FUTURE __packaged_task_function<_Rp(_ArgTypes...)>
 {
     typedef __packaged_task_base<_Rp(_ArgTypes...)> __base;
+
+    _LIBCPP_INLINE_VISIBILITY _LIBCPP_NO_CFI
+    __base* __get_buf() { return (__base*)&__buf_; }
+
     typename aligned_storage<3*sizeof(void*)>::type __buf_;
     __base* __f_;
 
@@ -1856,10 +1860,10 @@ __packaged_task_function<_Rp(_ArgTypes...)>::__packaged_task_function(__packaged
 {
     if (__f.__f_ == nullptr)
         __f_ = nullptr;
-    else if (__f.__f_ == (__base*)&__f.__buf_)
+    else if (__f.__f_ == __f.__get_buf())
     {
+        __f.__f_->__move_to(__get_buf());
         __f_ = (__base*)&__buf_;
-        __f.__f_->__move_to(__f_);
     }
     else
     {
@@ -1877,8 +1881,8 @@ __packaged_task_function<_Rp(_ArgTypes...)>::__packaged_task_function(_Fp&& __f)
     typedef __packaged_task_func<_FR, allocator<_FR>, _Rp(_ArgTypes...)> _FF;
     if (sizeof(_FF) <= sizeof(__buf_))
     {
+        ::new (&__buf_) _FF(_VSTD::forward<_Fp>(__f));
         __f_ = (__base*)&__buf_;
-        ::new (__f_) _FF(_VSTD::forward<_Fp>(__f));
     }
     else
     {
@@ -1920,17 +1924,17 @@ template<class _Rp, class ..._ArgTypes>
 __packaged_task_function<_Rp(_ArgTypes...)>&
 __packaged_task_function<_Rp(_ArgTypes...)>::operator=(__packaged_task_function&& __f) _NOEXCEPT
 {
-    if (__f_ == (__base*)&__buf_)
+    if (__f_ == __get_buf())
         __f_->destroy();
     else if (__f_)
         __f_->destroy_deallocate();
     __f_ = nullptr;
     if (__f.__f_ == nullptr)
         __f_ = nullptr;
-    else if (__f.__f_ == (__base*)&__f.__buf_)
+    else if (__f.__f_ == __f.__get_buf())
     {
-        __f_ = (__base*)&__buf_;
-        __f.__f_->__move_to(__f_);
+        __f.__f_->__move_to(__get_buf());
+        __f_ = __get_buf();
     }
     else
     {
@@ -1943,13 +1947,14 @@ __packaged_task_function<_Rp(_ArgTypes...)>::operator=(__packaged_task_function&
 template<class _Rp, class ..._ArgTypes>
 __packaged_task_function<_Rp(_ArgTypes...)>::~__packaged_task_function()
 {
-    if (__f_ == (__base*)&__buf_)
+    if (__f_ == __get_buf())
         __f_->destroy();
     else if (__f_)
         __f_->destroy_deallocate();
 }
 
 template<class _Rp, class ..._ArgTypes>
+_LIBCPP_NO_CFI
 void
 __packaged_task_function<_Rp(_ArgTypes...)>::swap(__packaged_task_function& __f) _NOEXCEPT
 {

Original file line number	Diff line number	Diff line change
`@@ -1823,6 +1823,10 @@ template<class _Rp, class ..._ArgTypes>`
`1823`	`1823`	`class _LIBCPP_AVAILABILITY_FUTURE __packaged_task_function<_Rp(_ArgTypes...)>`
`1824`	`1824`	`{`
`1825`	`1825`	`typedef __packaged_task_base<_Rp(_ArgTypes...)> __base;`
	`1826`	`+`
	`1827`	`+ _LIBCPP_INLINE_VISIBILITY _LIBCPP_NO_CFI`
	`1828`	`+ __base* __get_buf() { return (__base*)&__buf_; }`
	`1829`	`+`
`1826`	`1830`	`typename aligned_storage<3sizeof(void)>::type __buf_;`
`1827`	`1831`	`__base* __f_;`
`1828`	`1832`
`@@ -1856,10 +1860,10 @@ __packaged_task_function<_Rp(_ArgTypes...)>::__packaged_task_function(__packaged`
`1856`	`1860`	`{`
`1857`	`1861`	`if (__f.__f_ == nullptr)`
`1858`	`1862`	`__f_ = nullptr;`
`1859`		`- else if (__f.__f_ == (__base*)&__f.__buf_)`
	`1863`	`+ else if (__f.__f_ == __f.__get_buf())`
`1860`	`1864`	`{`
	`1865`	`+ __f.__f_->__move_to(__get_buf());`
`1861`	`1866`	`__f_ = (__base*)&__buf_;`
`1862`		`- __f.__f_->__move_to(__f_);`
`1863`	`1867`	`}`
`1864`	`1868`	`else`
`1865`	`1869`	`{`
`@@ -1877,8 +1881,8 @@ __packaged_task_function<_Rp(_ArgTypes...)>::__packaged_task_function(_Fp&& __f)`
`1877`	`1881`	`typedef __packaged_task_func<_FR, allocator<_FR>, _Rp(_ArgTypes...)> _FF;`
`1878`	`1882`	`if (sizeof(_FF) <= sizeof(__buf_))`
`1879`	`1883`	`{`
	`1884`	`+ ::new (&__buf_) _FF(_VSTD::forward<_Fp>(__f));`
`1880`	`1885`	`__f_ = (__base*)&__buf_;`
`1881`		`- ::new (__f_) _FF(_VSTD::forward<_Fp>(__f));`
`1882`	`1886`	`}`
`1883`	`1887`	`else`
`1884`	`1888`	`{`
`@@ -1920,17 +1924,17 @@ template<class _Rp, class ..._ArgTypes>`
`1920`	`1924`	`__packaged_task_function<_Rp(_ArgTypes...)>&`
`1921`	`1925`	`__packaged_task_function<_Rp(_ArgTypes...)>::operator=(__packaged_task_function&& __f) _NOEXCEPT`
`1922`	`1926`	`{`
`1923`		`- if (__f_ == (__base*)&__buf_)`
	`1927`	`+ if (__f_ == __get_buf())`
`1924`	`1928`	`__f_->destroy();`
`1925`	`1929`	`else if (__f_)`
`1926`	`1930`	`__f_->destroy_deallocate();`
`1927`	`1931`	`__f_ = nullptr;`
`1928`	`1932`	`if (__f.__f_ == nullptr)`
`1929`	`1933`	`__f_ = nullptr;`
`1930`		`- else if (__f.__f_ == (__base*)&__f.__buf_)`
	`1934`	`+ else if (__f.__f_ == __f.__get_buf())`
`1931`	`1935`	`{`
`1932`		`- __f_ = (__base*)&__buf_;`
`1933`		`- __f.__f_->__move_to(__f_);`
	`1936`	`+ __f.__f_->__move_to(__get_buf());`
	`1937`	`+ __f_ = __get_buf();`
`1934`	`1938`	`}`
`1935`	`1939`	`else`
`1936`	`1940`	`{`
`@@ -1943,13 +1947,14 @@ __packaged_task_function<_Rp(_ArgTypes...)>::operator=(__packaged_task_function&`
`1943`	`1947`	`template<class _Rp, class ..._ArgTypes>`
`1944`	`1948`	`__packaged_task_function<_Rp(_ArgTypes...)>::~__packaged_task_function()`
`1945`	`1949`	`{`
`1946`		`- if (__f_ == (__base*)&__buf_)`
	`1950`	`+ if (__f_ == __get_buf())`
`1947`	`1951`	`__f_->destroy();`
`1948`	`1952`	`else if (__f_)`
`1949`	`1953`	`__f_->destroy_deallocate();`
`1950`	`1954`	`}`
`1951`	`1955`
`1952`	`1956`	`template<class _Rp, class ..._ArgTypes>`
	`1957`	`+_LIBCPP_NO_CFI`
`1953`	`1958`	`void`
`1954`	`1959`	`__packaged_task_function<_Rp(_ArgTypes...)>::swap(__packaged_task_function& __f) _NOEXCEPT`
`1955`	`1960`	`{`