Use associated constant to make Lazy's fields private.

This is to patch an obscure soundness hole.

With the fields public, it is possible to for a consumer crate to access and call the std::sync::Once without assigning the correct value to the pointer in the tuple's first field, making it possible to later deref a null pointer from safe code.

However now that lazy_static targets 1.21.0+, we can use an associated constant in the __lazy_static_create macro instead of requiring consumers to literally construct the inner values post-expansion. This is technically a breaking change, but given that any existing use of these inner fields is very likely to cause unsoundness I think it's consistent with Rust's semver policy to make this change and stay at 1.0.

Author: anp

src/heap_lazy.rs

@@ -11,12 +11,15 @@ use self::std::prelude::v1::*;
 use self::std::sync::Once;
 pub use self::std::sync::ONCE_INIT;
 
-pub struct Lazy<T: Sync>(pub *const T, pub Once);
+pub struct Lazy<T: Sync>(*const T, Once);
 
 impl<T: Sync> Lazy<T> {
+    pub const INIT: Self = Lazy(0 as *const T, ONCE_INIT);
+
     #[inline(always)]
     pub fn get<F>(&'static mut self, f: F) -> &T
-        where F: FnOnce() -> T
+    where
+        F: FnOnce() -> T,
     {
         unsafe {
             let r = &mut self.0;
@@ -35,6 +38,6 @@ unsafe impl<T: Sync> Sync for Lazy<T> {}
 #[doc(hidden)]
 macro_rules! __lazy_static_create {
     ($NAME:ident, $T:ty) => {
-        static mut $NAME: $crate::lazy::Lazy<$T> = $crate::lazy::Lazy(0 as *const $T, $crate::lazy::ONCE_INIT);
-    }
+        static mut $NAME: $crate::lazy::Lazy<$T> = $crate::lazy::Lazy::INIT;
+    };
 }