mirror of
https://github.com/klzgrad/naiveproxy.git
synced 2024-11-24 14:26:09 +03:00
382 lines
12 KiB
C++
382 lines
12 KiB
C++
|
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
|
||
|
// Use of this source code is governed by a BSD-style license that can be
|
||
|
// found in the LICENSE file.
|
||
|
|
||
|
#include "base/memory/shared_memory.h"
|
||
|
|
||
|
#include <aclapi.h>
|
||
|
#include <stddef.h>
|
||
|
#include <stdint.h>
|
||
|
|
||
|
#include "base/allocator/partition_allocator/page_allocator.h"
|
||
|
#include "base/logging.h"
|
||
|
#include "base/memory/shared_memory_tracker.h"
|
||
|
#include "base/metrics/histogram_functions.h"
|
||
|
#include "base/metrics/histogram_macros.h"
|
||
|
#include "base/rand_util.h"
|
||
|
#include "base/strings/stringprintf.h"
|
||
|
#include "base/strings/utf_string_conversions.h"
|
||
|
#include "base/unguessable_token.h"
|
||
|
|
||
|
namespace base {
|
||
|
namespace {
|
||
|
|
||
|
// Errors that can occur during Shared Memory construction.
|
||
|
// These match tools/metrics/histograms/histograms.xml.
|
||
|
// This enum is append-only.
|
||
|
enum CreateError {
|
||
|
SUCCESS = 0,
|
||
|
SIZE_ZERO = 1,
|
||
|
SIZE_TOO_LARGE = 2,
|
||
|
INITIALIZE_ACL_FAILURE = 3,
|
||
|
INITIALIZE_SECURITY_DESC_FAILURE = 4,
|
||
|
SET_SECURITY_DESC_FAILURE = 5,
|
||
|
CREATE_FILE_MAPPING_FAILURE = 6,
|
||
|
REDUCE_PERMISSIONS_FAILURE = 7,
|
||
|
ALREADY_EXISTS = 8,
|
||
|
CREATE_ERROR_LAST = ALREADY_EXISTS
|
||
|
};
|
||
|
|
||
|
// Emits UMA metrics about encountered errors. Pass zero (0) for |winerror|
|
||
|
// if there is no associated Windows error.
|
||
|
void LogError(CreateError error, DWORD winerror) {
|
||
|
UMA_HISTOGRAM_ENUMERATION("SharedMemory.CreateError", error,
|
||
|
CREATE_ERROR_LAST + 1);
|
||
|
static_assert(ERROR_SUCCESS == 0, "Windows error code changed!");
|
||
|
if (winerror != ERROR_SUCCESS)
|
||
|
UmaHistogramSparse("SharedMemory.CreateWinError", winerror);
|
||
|
}
|
||
|
|
||
|
typedef enum _SECTION_INFORMATION_CLASS {
|
||
|
SectionBasicInformation,
|
||
|
} SECTION_INFORMATION_CLASS;
|
||
|
|
||
|
typedef struct _SECTION_BASIC_INFORMATION {
|
||
|
PVOID BaseAddress;
|
||
|
ULONG Attributes;
|
||
|
LARGE_INTEGER Size;
|
||
|
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
|
||
|
|
||
|
typedef ULONG(__stdcall* NtQuerySectionType)(
|
||
|
HANDLE SectionHandle,
|
||
|
SECTION_INFORMATION_CLASS SectionInformationClass,
|
||
|
PVOID SectionInformation,
|
||
|
ULONG SectionInformationLength,
|
||
|
PULONG ResultLength);
|
||
|
|
||
|
// Returns the length of the memory section starting at the supplied address.
|
||
|
size_t GetMemorySectionSize(void* address) {
|
||
|
MEMORY_BASIC_INFORMATION memory_info;
|
||
|
if (!::VirtualQuery(address, &memory_info, sizeof(memory_info)))
|
||
|
return 0;
|
||
|
return memory_info.RegionSize - (static_cast<char*>(address) -
|
||
|
static_cast<char*>(memory_info.AllocationBase));
|
||
|
}
|
||
|
|
||
|
// Checks if the section object is safe to map. At the moment this just means
|
||
|
// it's not an image section.
|
||
|
bool IsSectionSafeToMap(HANDLE handle) {
|
||
|
static NtQuerySectionType nt_query_section_func;
|
||
|
if (!nt_query_section_func) {
|
||
|
nt_query_section_func = reinterpret_cast<NtQuerySectionType>(
|
||
|
::GetProcAddress(::GetModuleHandle(L"ntdll.dll"), "NtQuerySection"));
|
||
|
DCHECK(nt_query_section_func);
|
||
|
}
|
||
|
|
||
|
// The handle must have SECTION_QUERY access for this to succeed.
|
||
|
SECTION_BASIC_INFORMATION basic_information = {};
|
||
|
ULONG status =
|
||
|
nt_query_section_func(handle, SectionBasicInformation, &basic_information,
|
||
|
sizeof(basic_information), nullptr);
|
||
|
if (status)
|
||
|
return false;
|
||
|
return (basic_information.Attributes & SEC_IMAGE) != SEC_IMAGE;
|
||
|
}
|
||
|
|
||
|
// Returns a HANDLE on success and |nullptr| on failure.
|
||
|
// This function is similar to CreateFileMapping, but removes the permissions
|
||
|
// WRITE_DAC, WRITE_OWNER, READ_CONTROL, and DELETE.
|
||
|
//
|
||
|
// A newly created file mapping has two sets of permissions. It has access
|
||
|
// control permissions (WRITE_DAC, WRITE_OWNER, READ_CONTROL, and DELETE) and
|
||
|
// file permissions (FILE_MAP_READ, FILE_MAP_WRITE, etc.). ::DuplicateHandle()
|
||
|
// with the parameter DUPLICATE_SAME_ACCESS copies both sets of permissions.
|
||
|
//
|
||
|
// The Chrome sandbox prevents HANDLEs with the WRITE_DAC permission from being
|
||
|
// duplicated into unprivileged processes. But the only way to copy file
|
||
|
// permissions is with the parameter DUPLICATE_SAME_ACCESS. This means that
|
||
|
// there is no way for a privileged process to duplicate a file mapping into an
|
||
|
// unprivileged process while maintaining the previous file permissions.
|
||
|
//
|
||
|
// By removing all access control permissions of a file mapping immediately
|
||
|
// after creation, ::DuplicateHandle() effectively only copies the file
|
||
|
// permissions.
|
||
|
HANDLE CreateFileMappingWithReducedPermissions(SECURITY_ATTRIBUTES* sa,
|
||
|
size_t rounded_size,
|
||
|
LPCWSTR name) {
|
||
|
HANDLE h = CreateFileMapping(INVALID_HANDLE_VALUE, sa, PAGE_READWRITE, 0,
|
||
|
static_cast<DWORD>(rounded_size), name);
|
||
|
if (!h) {
|
||
|
LogError(CREATE_FILE_MAPPING_FAILURE, GetLastError());
|
||
|
return nullptr;
|
||
|
}
|
||
|
|
||
|
HANDLE h2;
|
||
|
BOOL success = ::DuplicateHandle(
|
||
|
GetCurrentProcess(), h, GetCurrentProcess(), &h2,
|
||
|
FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY, FALSE, 0);
|
||
|
BOOL rv = ::CloseHandle(h);
|
||
|
DCHECK(rv);
|
||
|
|
||
|
if (!success) {
|
||
|
LogError(REDUCE_PERMISSIONS_FAILURE, GetLastError());
|
||
|
return nullptr;
|
||
|
}
|
||
|
|
||
|
return h2;
|
||
|
}
|
||
|
|
||
|
} // namespace.
|
||
|
|
||
|
SharedMemory::SharedMemory() {}
|
||
|
|
||
|
SharedMemory::SharedMemory(const string16& name) : name_(name) {}
|
||
|
|
||
|
SharedMemory::SharedMemory(const SharedMemoryHandle& handle, bool read_only)
|
||
|
: external_section_(true), shm_(handle), read_only_(read_only) {}
|
||
|
|
||
|
SharedMemory::~SharedMemory() {
|
||
|
Unmap();
|
||
|
Close();
|
||
|
}
|
||
|
|
||
|
// static
|
||
|
bool SharedMemory::IsHandleValid(const SharedMemoryHandle& handle) {
|
||
|
return handle.IsValid();
|
||
|
}
|
||
|
|
||
|
// static
|
||
|
void SharedMemory::CloseHandle(const SharedMemoryHandle& handle) {
|
||
|
handle.Close();
|
||
|
}
|
||
|
|
||
|
// static
|
||
|
size_t SharedMemory::GetHandleLimit() {
|
||
|
// Rounded down from value reported here:
|
||
|
// http://blogs.technet.com/b/markrussinovich/archive/2009/09/29/3283844.aspx
|
||
|
return static_cast<size_t>(1 << 23);
|
||
|
}
|
||
|
|
||
|
// static
|
||
|
SharedMemoryHandle SharedMemory::DuplicateHandle(
|
||
|
const SharedMemoryHandle& handle) {
|
||
|
return handle.Duplicate();
|
||
|
}
|
||
|
|
||
|
bool SharedMemory::CreateAndMapAnonymous(size_t size) {
|
||
|
return CreateAnonymous(size) && Map(size);
|
||
|
}
|
||
|
|
||
|
bool SharedMemory::Create(const SharedMemoryCreateOptions& options) {
|
||
|
// TODO(crbug.com/210609): NaCl forces us to round up 64k here, wasting 32k
|
||
|
// per mapping on average.
|
||
|
static const size_t kSectionMask = 65536 - 1;
|
||
|
DCHECK(!options.executable);
|
||
|
DCHECK(!shm_.IsValid());
|
||
|
if (options.size == 0) {
|
||
|
LogError(SIZE_ZERO, 0);
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
// Check maximum accounting for overflow.
|
||
|
if (options.size >
|
||
|
static_cast<size_t>(std::numeric_limits<int>::max()) - kSectionMask) {
|
||
|
LogError(SIZE_TOO_LARGE, 0);
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
size_t rounded_size = (options.size + kSectionMask) & ~kSectionMask;
|
||
|
name_ = options.name_deprecated ?
|
||
|
ASCIIToUTF16(*options.name_deprecated) : L"";
|
||
|
SECURITY_ATTRIBUTES sa = {sizeof(sa), nullptr, FALSE};
|
||
|
SECURITY_DESCRIPTOR sd;
|
||
|
ACL dacl;
|
||
|
|
||
|
if (name_.empty()) {
|
||
|
// Add an empty DACL to enforce anonymous read-only sections.
|
||
|
sa.lpSecurityDescriptor = &sd;
|
||
|
if (!InitializeAcl(&dacl, sizeof(dacl), ACL_REVISION)) {
|
||
|
LogError(INITIALIZE_ACL_FAILURE, GetLastError());
|
||
|
return false;
|
||
|
}
|
||
|
if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) {
|
||
|
LogError(INITIALIZE_SECURITY_DESC_FAILURE, GetLastError());
|
||
|
return false;
|
||
|
}
|
||
|
if (!SetSecurityDescriptorDacl(&sd, TRUE, &dacl, FALSE)) {
|
||
|
LogError(SET_SECURITY_DESC_FAILURE, GetLastError());
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
// Windows ignores DACLs on certain unnamed objects (like shared sections).
|
||
|
// So, we generate a random name when we need to enforce read-only.
|
||
|
uint64_t rand_values[4];
|
||
|
RandBytes(&rand_values, sizeof(rand_values));
|
||
|
name_ = StringPrintf(L"CrSharedMem_%016llx%016llx%016llx%016llx",
|
||
|
rand_values[0], rand_values[1],
|
||
|
rand_values[2], rand_values[3]);
|
||
|
}
|
||
|
DCHECK(!name_.empty());
|
||
|
shm_ = SharedMemoryHandle(
|
||
|
CreateFileMappingWithReducedPermissions(&sa, rounded_size, name_.c_str()),
|
||
|
rounded_size, UnguessableToken::Create());
|
||
|
if (!shm_.IsValid()) {
|
||
|
// The error is logged within CreateFileMappingWithReducedPermissions().
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
requested_size_ = options.size;
|
||
|
|
||
|
// Check if the shared memory pre-exists.
|
||
|
if (GetLastError() == ERROR_ALREADY_EXISTS) {
|
||
|
// If the file already existed, set requested_size_ to 0 to show that
|
||
|
// we don't know the size.
|
||
|
requested_size_ = 0;
|
||
|
external_section_ = true;
|
||
|
if (!options.open_existing_deprecated) {
|
||
|
Close();
|
||
|
// From "if" above: GetLastError() == ERROR_ALREADY_EXISTS.
|
||
|
LogError(ALREADY_EXISTS, ERROR_ALREADY_EXISTS);
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
LogError(SUCCESS, ERROR_SUCCESS);
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
bool SharedMemory::Delete(const std::string& name) {
|
||
|
// intentionally empty -- there is nothing for us to do on Windows.
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
bool SharedMemory::Open(const std::string& name, bool read_only) {
|
||
|
DCHECK(!shm_.IsValid());
|
||
|
DWORD access = FILE_MAP_READ | SECTION_QUERY;
|
||
|
if (!read_only)
|
||
|
access |= FILE_MAP_WRITE;
|
||
|
name_ = ASCIIToUTF16(name);
|
||
|
read_only_ = read_only;
|
||
|
|
||
|
// This form of sharing shared memory is deprecated. https://crbug.com/345734.
|
||
|
// However, we can't get rid of it without a significant refactor because its
|
||
|
// used to communicate between two versions of the same service process, very
|
||
|
// early in the life cycle.
|
||
|
// Technically, we should also pass the GUID from the original shared memory
|
||
|
// region. We don't do that - this means that we will overcount this memory,
|
||
|
// which thankfully isn't relevant since Chrome only communicates with a
|
||
|
// single version of the service process.
|
||
|
// We pass the size |0|, which is a dummy size and wrong, but otherwise
|
||
|
// harmless.
|
||
|
shm_ = SharedMemoryHandle(
|
||
|
OpenFileMapping(access, false, name_.empty() ? nullptr : name_.c_str()),
|
||
|
0u, UnguessableToken::Create());
|
||
|
if (!shm_.IsValid())
|
||
|
return false;
|
||
|
// If a name specified assume it's an external section.
|
||
|
if (!name_.empty())
|
||
|
external_section_ = true;
|
||
|
// Note: size_ is not set in this case.
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
bool SharedMemory::MapAt(off_t offset, size_t bytes) {
|
||
|
if (!shm_.IsValid()) {
|
||
|
DLOG(ERROR) << "Invalid SharedMemoryHandle.";
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
if (bytes > static_cast<size_t>(std::numeric_limits<int>::max())) {
|
||
|
DLOG(ERROR) << "Bytes required exceeds the 2G limitation.";
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
if (memory_) {
|
||
|
DLOG(ERROR) << "The SharedMemory has been mapped already.";
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
if (external_section_ && !IsSectionSafeToMap(shm_.GetHandle())) {
|
||
|
DLOG(ERROR) << "SharedMemoryHandle is not safe to be mapped.";
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
// Try to map the shared memory. On the first failure, release any reserved
|
||
|
// address space for a single retry.
|
||
|
for (int i = 0; i < 2; ++i) {
|
||
|
memory_ = MapViewOfFile(
|
||
|
shm_.GetHandle(),
|
||
|
read_only_ ? FILE_MAP_READ : FILE_MAP_READ | FILE_MAP_WRITE,
|
||
|
static_cast<uint64_t>(offset) >> 32, static_cast<DWORD>(offset), bytes);
|
||
|
if (memory_)
|
||
|
break;
|
||
|
ReleaseReservation();
|
||
|
}
|
||
|
if (!memory_) {
|
||
|
DPLOG(ERROR) << "Failed executing MapViewOfFile";
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
DCHECK_EQ(0U, reinterpret_cast<uintptr_t>(memory_) &
|
||
|
(SharedMemory::MAP_MINIMUM_ALIGNMENT - 1));
|
||
|
mapped_size_ = GetMemorySectionSize(memory_);
|
||
|
mapped_id_ = shm_.GetGUID();
|
||
|
SharedMemoryTracker::GetInstance()->IncrementMemoryUsage(*this);
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
bool SharedMemory::Unmap() {
|
||
|
if (!memory_)
|
||
|
return false;
|
||
|
|
||
|
SharedMemoryTracker::GetInstance()->DecrementMemoryUsage(*this);
|
||
|
UnmapViewOfFile(memory_);
|
||
|
memory_ = nullptr;
|
||
|
mapped_id_ = UnguessableToken();
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
SharedMemoryHandle SharedMemory::GetReadOnlyHandle() const {
|
||
|
HANDLE result;
|
||
|
ProcessHandle process = GetCurrentProcess();
|
||
|
if (!::DuplicateHandle(process, shm_.GetHandle(), process, &result,
|
||
|
FILE_MAP_READ | SECTION_QUERY, FALSE, 0)) {
|
||
|
return SharedMemoryHandle();
|
||
|
}
|
||
|
SharedMemoryHandle handle =
|
||
|
SharedMemoryHandle(result, shm_.GetSize(), shm_.GetGUID());
|
||
|
handle.SetOwnershipPassesToIPC(true);
|
||
|
return handle;
|
||
|
}
|
||
|
|
||
|
void SharedMemory::Close() {
|
||
|
if (shm_.IsValid()) {
|
||
|
shm_.Close();
|
||
|
shm_ = SharedMemoryHandle();
|
||
|
}
|
||
|
}
|
||
|
|
||
|
SharedMemoryHandle SharedMemory::handle() const {
|
||
|
return shm_;
|
||
|
}
|
||
|
|
||
|
SharedMemoryHandle SharedMemory::TakeHandle() {
|
||
|
SharedMemoryHandle handle(shm_);
|
||
|
handle.SetOwnershipPassesToIPC(true);
|
||
|
Unmap();
|
||
|
shm_ = SharedMemoryHandle();
|
||
|
return handle;
|
||
|
}
|
||
|
|
||
|
} // namespace base
|