naiveproxy/base/memory/protected_memory_cfi.h

88 lines
3.2 KiB
C
Raw Normal View History

2018-01-28 21:32:06 +03:00
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Helper routines to call function pointers stored in protected memory with
// Control Flow Integrity indirect call checking disabled. Some indirect calls,
// e.g. dynamically resolved symbols in another DSO, can not be accounted for by
// CFI-icall. These routines allow those symbols to be called without CFI-icall
// checking safely by ensuring that they are placed in protected memory.
#ifndef BASE_MEMORY_PROTECTED_MEMORY_CFI_H_
#define BASE_MEMORY_PROTECTED_MEMORY_CFI_H_
#include <utility>
#include "base/cfi_flags.h"
#include "base/macros.h"
#include "base/memory/protected_memory.h"
#include "build/build_config.h"
#if BUILDFLAG(CFI_ICALL_CHECK) && !PROTECTED_MEMORY_ENABLED
#error "CFI-icall enabled for platform without protected memory support"
#endif // BUILDFLAG(CFI_ICALL_CHECK) && !PROTECTED_MEMORY_ENABLED
namespace base {
namespace internal {
// This class is used to exempt calls to function pointers stored in
// ProtectedMemory from cfi-icall checking. It's not secure to use directly, it
// should only be used by the UnsanitizedCfiCall() functions below. Given an
// UnsanitizedCfiCall object, you can use operator() to call the encapsulated
// function pointer without cfi-icall checking.
template <typename FunctionType>
class UnsanitizedCfiCall {
public:
explicit UnsanitizedCfiCall(FunctionType function) : function_(function) {}
UnsanitizedCfiCall(UnsanitizedCfiCall&&) = default;
template <typename... Args>
#if !defined(COMPILER_MSVC)
__attribute__((no_sanitize("cfi-icall")))
#endif // !defined(COMPILER_MSVC)
auto operator()(Args&&... args) {
return function_(std::forward<Args>(args)...);
}
private:
FunctionType function_;
DISALLOW_IMPLICIT_CONSTRUCTORS(UnsanitizedCfiCall);
};
} // namespace internal
// These functions can be used to call function pointers in ProtectedMemory
// without cfi-icall checking. They are intended to be used to create an
// UnsanitizedCfiCall object and immediately call it. UnsanitizedCfiCall objects
// should not initialized directly or stored because they hold a function
// pointer that will be called without CFI-icall checking in mutable memory. The
// functions can be used as shown below:
// ProtectedMemory<void (*)(int)> p;
// UnsanitizedCfiCall(p)(5); /* In place of (*p)(5); */
template <typename T>
auto UnsanitizedCfiCall(const ProtectedMemory<T>& PM) {
#if PROTECTED_MEMORY_ENABLED
DCHECK(&PM >= ProtectedMemoryStart && &PM < ProtectedMemoryEnd);
#endif // PROTECTED_MEMORY_ENABLED
return internal::UnsanitizedCfiCall<T>(*PM);
}
// struct S { void (*fp)(int); } s;
// ProtectedMemory<S> p;
// UnsanitizedCfiCall(p, &S::fp)(5); /* In place of p->fp(5); */
template <typename T, typename Member>
auto UnsanitizedCfiCall(const ProtectedMemory<T>& PM, Member member) {
#if PROTECTED_MEMORY_ENABLED
DCHECK(&PM >= ProtectedMemoryStart && &PM < ProtectedMemoryEnd);
#endif // PROTECTED_MEMORY_ENABLED
return internal::UnsanitizedCfiCall<decltype(*PM.*member)>(*PM.*member);
}
} // namespace base
#endif // BASE_MEMORY_PROTECTED_MEMORY_CFI_H_