Fix the soundness bug in the representation of extern types

tgross35 · tgross35 · commit 452521f076d2 · 2026-03-16T17:10:35.000-05:00
Since the very first import dafaca9 ("Initial import of liblibc"), `libc` has used uninhabited enums to represent C's incomplete/opaque types. While this is, as far as I know, techincally okay when working behind raw pointers, it means that using reference types like `&FILE` can lead to easy UB. Resolve this by changing the representation to a `!Sync + !Send + !Unpin` ZST, as recommended by the nomicon [1]. The loss of auto traits technically makes this user-visible, but it is unlikely that anybody who is doing sound things was relying on these. I also used this as an opportunity to add a forward-compatibility note about intended use that should allow us to switch to real extern types once those are available. [1]: https://doc.rust-lang.org/nomicon/ffi.html#representing-opaque-structs
diff --git a/src/fuchsia/mod.rs b/src/fuchsia/mod.rs
@@ -79,9 +79,9 @@ pub type fsfilcnt_t = c_ulonglong;
 pub type rlim_t = c_ulonglong;
 
 extern_ty! {
-    pub enum timezone {}
-    pub enum DIR {}
-    pub enum fpos64_t {} // FIXME(fuchsia): fill this out with a struct
+    pub type timezone;
+    pub type DIR;
+    pub type fpos64_t; // FIXME(fuchsia): fill this out with a struct
 }
 
 // PUB_STRUCT
@@ -3192,8 +3192,8 @@ fn __MHDR_END(mhdr: *const msghdr) -> *mut c_uchar {
 extern "C" {}
 
 extern_ty! {
-    pub enum FILE {}
-    pub enum fpos_t {} // FIXME(fuchsia): fill this out with a struct
+    pub type FILE;
+    pub type fpos_t; // FIXME(fuchsia): fill this out with a struct
 }
 
 extern "C" {
diff --git a/src/macros.rs b/src/macros.rs
@@ -246,17 +246,37 @@ macro_rules! s_no_extra_traits {
 macro_rules! extern_ty {
     ($(
         $(#[$attr:meta])*
-        pub enum $i:ident {}
+        pub type $i:ident;
     )*) => ($(
         $(#[$attr])*
+        /// This is an extern type ("opaque" or "incomplete" type in C).
+        ///
+        /// <div class="warning">
+        /// This type's current representation allows inspecting some properties, such as via
+        /// <code>size_of</code>, and it is technically possible to construct the type within
+        /// <code>MaybeUninit</code>, However, this <strong>MUST NOT</strong> be relied upon
+        /// because a future version of <code>libc</code> may switch to a proper
+        /// <a href="https://rust-lang.github.io/rfcs/1861-extern-types.html">extern type</a>
+        /// representation when available.
+        /// </div>
+        // ^ unfortunately warning blocks currently don't render markdown so we need to
+        // use raw HTML.
+        //
+        // Representation based on the Nomicon:
+        // <https://doc.rust-lang.org/nomicon/ffi.html#representing-opaque-structs>.
+        //
         // FIXME(1.0): the type is uninhabited so these traits are unreachable and could be
         // removed.
         #[::core::prelude::v1::derive(
             ::core::clone::Clone,
             ::core::marker::Copy,
             ::core::fmt::Debug,
         )]
-        pub enum $i { }
+        #[repr(C)]
+        pub struct $i {
+            _data: (),
+            _marker: ::core::marker::PhantomData<(*mut u8, ::core::marker::PhantomPinned)>,
+        }
     )*);
 }
 
diff --git a/src/new/qurt/mod.rs b/src/new/qurt/mod.rs
@@ -60,7 +60,7 @@ pub type fd_set = c_ulong;
 
 // Standard C library types
 extern_ty! {
-    pub enum FILE {}
+    pub type FILE;
 }
 pub type fpos_t = c_long;
 pub type clock_t = c_long;
diff --git a/src/solid/mod.rs b/src/solid/mod.rs
@@ -397,8 +397,8 @@ pub const SIGUSR2: c_int = 31;
 pub const SIGPWR: c_int = 32;
 
 extern_ty! {
-    pub enum FILE {}
-    pub enum fpos_t {}
+    pub type FILE;
+    pub type fpos_t;
 }
 
 extern "C" {
diff --git a/src/unix/aix/powerpc64.rs b/src/unix/aix/powerpc64.rs
@@ -3,7 +3,7 @@ use crate::prelude::*;
 
 // Define lock_data_instrumented as an empty enum
 extern_ty! {
-    pub enum lock_data_instrumented {}
+    pub type lock_data_instrumented;
 }
 
 s! {
diff --git a/src/unix/bsd/apple/mod.rs b/src/unix/bsd/apple/mod.rs
@@ -176,7 +176,7 @@ pub type attrgroup_t = u32;
 pub type vol_capabilities_set_t = [u32; 4];
 
 extern_ty! {
-    pub enum timezone {}
+    pub type timezone;
 }
 
 c_enum! {
diff --git a/src/unix/bsd/freebsdlike/dragonfly/mod.rs b/src/unix/bsd/freebsdlike/dragonfly/mod.rs
@@ -49,7 +49,7 @@ pub type vm_map_entry_t = *mut vm_map_entry;
 pub type pmap = __c_anonymous_pmap;
 
 extern_ty! {
-    pub enum sem {}
+    pub type sem;
 }
 
 c_enum! {
diff --git a/src/unix/bsd/freebsdlike/mod.rs b/src/unix/bsd/freebsdlike/mod.rs
@@ -60,7 +60,7 @@ cfg_if! {
 // link.h
 
 extern_ty! {
-    pub enum timezone {}
+    pub type timezone;
 }
 
 impl siginfo_t {
diff --git a/src/unix/bsd/netbsdlike/mod.rs b/src/unix/bsd/netbsdlike/mod.rs
@@ -17,8 +17,8 @@ pub type sem_t = *mut sem;
 pub type key_t = c_long;
 
 extern_ty! {
-    pub enum timezone {}
-    pub enum sem {}
+    pub type timezone;
+    pub type sem;
 }
 
 s! {
diff --git a/src/unix/bsd/netbsdlike/netbsd/mod.rs b/src/unix/bsd/netbsdlike/netbsd/mod.rs
@@ -45,7 +45,7 @@ c_enum! {
 }
 
 extern_ty! {
-    pub enum _cpuset {}
+    pub type _cpuset;
 }
 
 cfg_if! {
diff --git a/src/unix/cygwin/mod.rs b/src/unix/cygwin/mod.rs
@@ -29,7 +29,7 @@ pub type suseconds_t = c_long;
 pub type useconds_t = c_ulong;
 
 extern_ty! {
-    pub enum timezone {}
+    pub type timezone;
 }
 
 pub type sigset_t = c_ulong;
@@ -71,7 +71,7 @@ pub type nfds_t = c_uint;
 pub type sem_t = *mut sem;
 
 extern_ty! {
-    pub enum sem {}
+    pub type sem;
 }
 
 pub type tcflag_t = c_uint;
diff --git a/src/unix/haiku/mod.rs b/src/unix/haiku/mod.rs
@@ -81,7 +81,7 @@ pub type posix_spawnattr_t = *mut c_void;
 pub type posix_spawn_file_actions_t = *mut c_void;
 
 extern_ty! {
-    pub enum timezone {}
+    pub type timezone;
 }
 
 impl siginfo_t {
diff --git a/src/unix/hurd/mod.rs b/src/unix/hurd/mod.rs
@@ -226,8 +226,8 @@ pub type nl_item = c_int;
 pub type iconv_t = *mut c_void;
 
 extern_ty! {
-    pub enum fpos64_t {} // FIXME(hurd): fill this out with a struct
-    pub enum timezone {}
+    pub type fpos64_t; // FIXME(hurd): fill this out with a struct
+    pub type timezone;
 }
 
 // structs
diff --git a/src/unix/linux_like/emscripten/mod.rs b/src/unix/linux_like/emscripten/mod.rs
@@ -41,7 +41,7 @@ pub type statvfs64 = crate::statvfs;
 pub type dirent64 = crate::dirent;
 
 extern_ty! {
-    pub enum fpos64_t {} // FIXME(emscripten): fill this out with a struct
+    pub type fpos64_t; // FIXME(emscripten): fill this out with a struct
 }
 
 s! {
diff --git a/src/unix/linux_like/linux_l4re_shared.rs b/src/unix/linux_like/linux_l4re_shared.rs
@@ -35,7 +35,7 @@ pub type iconv_t = *mut c_void;
 cfg_if! {
     if #[cfg(not(target_env = "gnu"))] {
         extern_ty! {
-            pub enum fpos64_t {} // FIXME(linux): fill this out with a struct
+            pub type fpos64_t; // FIXME(linux): fill this out with a struct
         }
     }
 }
diff --git a/src/unix/linux_like/mod.rs b/src/unix/linux_like/mod.rs
@@ -10,7 +10,7 @@ pub type key_t = c_int;
 pub type id_t = c_uint;
 
 extern_ty! {
-    pub enum timezone {}
+    pub type timezone;
 }
 
 s! {
diff --git a/src/unix/mod.rs b/src/unix/mod.rs
@@ -38,7 +38,7 @@ cfg_if! {
 }
 
 extern_ty! {
-    pub enum DIR {}
+    pub type DIR;
 }
 
 #[cfg(not(target_os = "nuttx"))]
@@ -602,13 +602,13 @@ cfg_if! {
 cfg_if! {
     if #[cfg(not(all(target_os = "linux", target_env = "gnu")))] {
         extern_ty! {
-            pub enum fpos_t {} // FIXME(unix): fill this out with a struct
+            pub type fpos_t; // FIXME(unix): fill this out with a struct
         }
     }
 }
 
 extern_ty! {
-    pub enum FILE {}
+    pub type FILE;
 }
 
 extern "C" {
diff --git a/src/unix/nto/mod.rs b/src/unix/nto/mod.rs
@@ -73,7 +73,7 @@ pub type sem_t = sync_t;
 pub type nl_item = c_int;
 
 extern_ty! {
-    pub enum timezone {}
+    pub type timezone;
 }
 
 s! {
diff --git a/src/unix/redox/mod.rs b/src/unix/redox/mod.rs
@@ -32,7 +32,7 @@ pub type uid_t = c_int;
 pub type gid_t = c_int;
 
 extern_ty! {
-    pub enum timezone {}
+    pub type timezone;
 }
 
 s! {
diff --git a/src/unix/solarish/mod.rs b/src/unix/solarish/mod.rs
@@ -56,8 +56,8 @@ pub type posix_spawnattr_t = *mut c_void;
 pub type posix_spawn_file_actions_t = *mut c_void;
 
 extern_ty! {
-    pub enum timezone {}
-    pub enum ucred_t {}
+    pub type timezone;
+    pub type ucred_t;
 }
 
 s! {
diff --git a/src/vxworks/mod.rs b/src/vxworks/mod.rs
@@ -5,7 +5,7 @@ use core::ptr::null_mut;
 use crate::prelude::*;
 
 extern_ty! {
-    pub enum DIR {}
+    pub type DIR;
 }
 
 pub type intmax_t = i64;
@@ -95,7 +95,7 @@ pub type sa_family_t = c_uchar;
 pub type mqd_t = c_int;
 
 extern_ty! {
-    pub enum _Vx_semaphore {}
+    pub type _Vx_semaphore;
 }
 
 impl siginfo_t {
@@ -1435,8 +1435,8 @@ pub const TIOCGWINSZ: c_int = 0x1740087468;
 pub const TIOCSWINSZ: c_int = -0x7ff78b99;
 
 extern_ty! {
-    pub enum FILE {}
-    pub enum fpos_t {} // FIXME(vxworks): fill this out with a struct
+    pub type FILE;
+    pub type fpos_t; // FIXME(vxworks): fill this out with a struct
 }
 
 f! {
diff --git a/src/wasi/mod.rs b/src/wasi/mod.rs
@@ -45,15 +45,11 @@ s_no_extra_traits! {
     }
 }
 
-#[allow(missing_copy_implementations)]
-#[derive(Debug)]
-pub enum FILE {}
-#[allow(missing_copy_implementations)]
-#[derive(Debug)]
-pub enum DIR {}
-#[allow(missing_copy_implementations)]
-#[derive(Debug)]
-pub enum __locale_struct {}
+extern_ty! {
+    pub type FILE;
+    pub type DIR;
+    pub type __locale_struct;
+}
 
 s_paren! {
     // in wasi-libc clockid_t is const struct __clockid* (where __clockid is an opaque struct),
diff --git a/src/windows/mod.rs b/src/windows/mod.rs
@@ -31,7 +31,7 @@ pub type dev_t = u32;
 pub type ino_t = u16;
 
 extern_ty! {
-    pub enum timezone {}
+    pub type timezone;
 }
 
 pub type time64_t = i64;
@@ -246,8 +246,8 @@ pub const L_tmpnam: c_uint = 260;
 pub const TMP_MAX: c_uint = 0x7fff_ffff;
 
 extern_ty! {
-    pub enum FILE {}
-    pub enum fpos_t {} // FIXME(windows): fill this out with a struct
+    pub type FILE;
+    pub type fpos_t; // FIXME(windows): fill this out with a struct
 }
 
 // Special handling for all print and scan type functions because of https://github.com/rust-lang/libc/issues/2860

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ pub type fd_set = c_ulong;`
`60`	`60`
`61`	`61`	`// Standard C library types`
`62`	`62`	`extern_ty! {`
`63`		`- pub enum FILE {}`
	`63`	`+ pub type FILE;`
`64`	`64`	`}`
`65`	`65`	`pub type fpos_t = c_long;`
`66`	`66`	`pub type clock_t = c_long;`
Original file line number	Diff line number	Diff line change
`@@ -397,8 +397,8 @@ pub const SIGUSR2: c_int = 31;`
`397`	`397`	`pub const SIGPWR: c_int = 32;`
`398`	`398`
`399`	`399`	`extern_ty! {`
`400`		`- pub enum FILE {}`
`401`		`- pub enum fpos_t {}`
	`400`	`+ pub type FILE;`
	`401`	`+ pub type fpos_t;`
`402`	`402`	`}`
`403`	`403`
`404`	`404`	`extern "C" {`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ use crate::prelude::*;`
`3`	`3`
`4`	`4`	`// Define lock_data_instrumented as an empty enum`
`5`	`5`	`extern_ty! {`
`6`		`- pub enum lock_data_instrumented {}`
	`6`	`+ pub type lock_data_instrumented;`
`7`	`7`	`}`
`8`	`8`
`9`	`9`	`s! {`
Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,7 @@ pub type attrgroup_t = u32;`
`176`	`176`	`pub type vol_capabilities_set_t = [u32; 4];`
`177`	`177`
`178`	`178`	`extern_ty! {`
`179`		`- pub enum timezone {}`
	`179`	`+ pub type timezone;`
`180`	`180`	`}`
`181`	`181`
`182`	`182`	`c_enum! {`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ pub type vm_map_entry_t = *mut vm_map_entry;`
`49`	`49`	`pub type pmap = __c_anonymous_pmap;`
`50`	`50`
`51`	`51`	`extern_ty! {`
`52`		`- pub enum sem {}`
	`52`	`+ pub type sem;`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`c_enum! {`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ cfg_if! {`
`60`	`60`	`// link.h`
`61`	`61`
`62`	`62`	`extern_ty! {`
`63`		`- pub enum timezone {}`
	`63`	`+ pub type timezone;`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`impl siginfo_t {`
Original file line number	Diff line number	Diff line change
`@@ -17,8 +17,8 @@ pub type sem_t = *mut sem;`
`17`	`17`	`pub type key_t = c_long;`
`18`	`18`
`19`	`19`	`extern_ty! {`
`20`		`- pub enum timezone {}`
`21`		`- pub enum sem {}`
	`20`	`+ pub type timezone;`
	`21`	`+ pub type sem;`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`s! {`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ c_enum! {`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`extern_ty! {`
`48`		`- pub enum _cpuset {}`
	`48`	`+ pub type _cpuset;`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`cfg_if! {`