Attribute #[link_section] can cause type confusion; use should be marked unsafe

[reinerp]

Attribute #[link_section] allows code to be placed into named linker sections. Some of these sections have special meanings to the operating system or other parts of the runtime environment. For example, in ELF binaries, objects in section .init_array.65534 (or any other .init_array.<N>) are assumed to be function pointers with a specific signature. These function pointers are executed by the system during program startup.

In Rust you can place data of arbitrary type in any link section, in safe code. For example, by placing 0usize in section .init_array.65534, you can create a program that segfaults (execution jumps to a null pointer), entirely in safe code. Playground link.

One natural response to this is to make use of #[link_section] unsafe. For use to be sound, the user of #[link_section] must prove that the type of data they are placing in this section is consistent with the environment's type expectations of that section name.

---

Other uses of link sections, such as the linkme crate, are subject to the same unsafety: if you define a #[link_section] that happens to use the same name as the linkme crate uses, you can cause linkme to interpret your data as its own type. One variant of this issue is discussed in dtolnay/linkme#3.

[ChrisDenton]

See also: #82499

[nagisa]

Right, I believe this to be duplicate of the #82499 linked above. It would be helpful if you reproduced your comment on that issue. I'll close this for now, since tracking work on this specific attribute by itself doesn't seem like it would provide extra value over the older aggregated issue.