cfi: Store type erasure witness for Argument

CFI/KCFI work by enforcing that indirect function calls are always
called at the type they were defined at. The type erasure in Argument
works by casting the reference to the value to be formatted to an Opaque
and also casting the function to format it to take an Opaque reference.

While this is *ABI* safe, which is why we get away with it normally, it
does transform the type that the function is called at. This means that
at the call-site, CFI expects the type of the function to be
`fn(&Opaque, ` even though it is really `fn(&T, ` for some particular
`T`.

This patch avoids this by adding `cast_stub`, a witness to the type
erasure that will cast the `&Opaque` and `fn(&Opaque` back to their
original types before invoking the function.

This change is guarded by the enablement of CFI as it will require an
additional pointer-sized value per `Argument`, and an additional jump
during formatting, and we'd prefer not to pay that if we don't need the
types to be correct at the indirect call invocation.

Author: maurer

library/core/src/fmt/rt.rs

@@ -74,7 +74,28 @@ pub(super) enum Flag {
 #[derive(Copy, Clone)]
 pub struct Argument<'a> {
     value: &'a Opaque,
-    formatter: fn(&Opaque, &mut Formatter<'_>) -> Result,
+    formatter: unsafe fn(&Opaque, &mut Formatter<'_>) -> Result,
+    #[cfg(any(sanitize = "cfi", sanitize = "kcfi"))]
+    cast_stub: unsafe fn(
+        fn(&Opaque, &mut Formatter<'_>) -> Result,
+        &Opaque,
+        f: &mut Formatter<'_>,
+    ) -> Result,
+}
+
+/// This function acts as a witness to an earlier type erasure when constructing an `Argument`.
+/// The type parameter `T` should be instantiated to the erased type.
+/// SAFETY: This function should be called on a value and formatter which underwent a
+/// T->Opaque cast at their definition site.
+#[cfg(any(sanitize = "cfi", sanitize = "kcfi"))]
+unsafe fn cast_stub<T>(
+    formatter: unsafe fn(&Opaque, &mut Formatter<'_>) -> Result,
+    value: &Opaque,
+    f: &mut Formatter<'_>,
+) -> Result {
+    let value: &T = mem::transmute(value);
+    let formatter: fn(&T, &mut Formatter<'_>) -> Result = mem::transmute(formatter);
+    formatter(value, f)
 }
 
 #[rustc_diagnostic_item = "ArgumentMethods"]
@@ -89,7 +110,14 @@ impl<'a> Argument<'a> {
         // `mem::transmute(f)` is safe since `fn(&T, &mut Formatter<'_>) -> Result`
         // and `fn(&Opaque, &mut Formatter<'_>) -> Result` have the same ABI
         // (as long as `T` is `Sized`)
-        unsafe { Argument { formatter: mem::transmute(f), value: mem::transmute(x) } }
+        unsafe {
+            Argument {
+                formatter: mem::transmute(f),
+                value: mem::transmute(x),
+                #[cfg(any(sanitize = "cfi", sanitize = "kcfi"))]
+                cast_stub: cast_stub::<T>,
+            }
+        }
     }
 
     #[inline(always)]
@@ -135,7 +163,22 @@ impl<'a> Argument<'a> {
 
     #[inline(always)]
     pub(super) fn fmt(&self, f: &mut Formatter<'_>) -> Result {
-        (self.formatter)(self.value, f)
+        cfg_if! {
+            if #[cfg(any(sanitize = "cfi", sanitize = "kcfi"))] {
+                // SAFETY: We're calling cast_stub on the formatter/value pair it was constructed
+                // with, and we don't allow mutation of any individual members. As a result, this
+                // cast_stub should be at the T representing the formatter/value pair.
+                unsafe {
+                    (self.cast_stub)(self.formatter, self.value, f)
+                }
+            } else {
+                // SAFETY: We're calling the formatter on the value that had its type erased
+                // alongside it.
+                unsafe {
+                    (self.formatter)(self.value, f)
+                }
+            }
+        }
     }
 
     #[inline(always)]