// Copyright (c) 2011 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "base/memory/shared_memory.h" #include #include #include #include "base/logging.h" #include "base/memory/shared_memory_tracker.h" #include "base/metrics/histogram_macros.h" #include "base/rand_util.h" #include "base/strings/stringprintf.h" #include "base/strings/utf_string_conversions.h" #include "base/unguessable_token.h" namespace { // Errors that can occur during Shared Memory construction. // These match tools/metrics/histograms/histograms.xml. // This enum is append-only. enum CreateError { SUCCESS = 0, SIZE_ZERO = 1, SIZE_TOO_LARGE = 2, INITIALIZE_ACL_FAILURE = 3, INITIALIZE_SECURITY_DESC_FAILURE = 4, SET_SECURITY_DESC_FAILURE = 5, CREATE_FILE_MAPPING_FAILURE = 6, REDUCE_PERMISSIONS_FAILURE = 7, ALREADY_EXISTS = 8, CREATE_ERROR_LAST = ALREADY_EXISTS }; // Emits UMA metrics about encountered errors. Pass zero (0) for |winerror| // if there is no associated Windows error. void LogError(CreateError error, DWORD winerror) { UMA_HISTOGRAM_ENUMERATION("SharedMemory.CreateError", error, CREATE_ERROR_LAST + 1); static_assert(ERROR_SUCCESS == 0, "Windows error code changed!"); if (winerror != ERROR_SUCCESS) UMA_HISTOGRAM_SPARSE_SLOWLY("SharedMemory.CreateWinError", winerror); } typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation, } SECTION_INFORMATION_CLASS; typedef struct _SECTION_BASIC_INFORMATION { PVOID BaseAddress; ULONG Attributes; LARGE_INTEGER Size; } SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; typedef ULONG(__stdcall* NtQuerySectionType)( HANDLE SectionHandle, SECTION_INFORMATION_CLASS SectionInformationClass, PVOID SectionInformation, ULONG SectionInformationLength, PULONG ResultLength); // Returns the length of the memory section starting at the supplied address. size_t GetMemorySectionSize(void* address) { MEMORY_BASIC_INFORMATION memory_info; if (!::VirtualQuery(address, &memory_info, sizeof(memory_info))) return 0; return memory_info.RegionSize - (static_cast(address) - static_cast(memory_info.AllocationBase)); } // Checks if the section object is safe to map. At the moment this just means // it's not an image section. bool IsSectionSafeToMap(HANDLE handle) { static NtQuerySectionType nt_query_section_func; if (!nt_query_section_func) { nt_query_section_func = reinterpret_cast( ::GetProcAddress(::GetModuleHandle(L"ntdll.dll"), "NtQuerySection")); DCHECK(nt_query_section_func); } // The handle must have SECTION_QUERY access for this to succeed. SECTION_BASIC_INFORMATION basic_information = {}; ULONG status = nt_query_section_func(handle, SectionBasicInformation, &basic_information, sizeof(basic_information), nullptr); if (status) return false; return (basic_information.Attributes & SEC_IMAGE) != SEC_IMAGE; } // Returns a HANDLE on success and |nullptr| on failure. // This function is similar to CreateFileMapping, but removes the permissions // WRITE_DAC, WRITE_OWNER, READ_CONTROL, and DELETE. // // A newly created file mapping has two sets of permissions. It has access // control permissions (WRITE_DAC, WRITE_OWNER, READ_CONTROL, and DELETE) and // file permissions (FILE_MAP_READ, FILE_MAP_WRITE, etc.). ::DuplicateHandle() // with the parameter DUPLICATE_SAME_ACCESS copies both sets of permissions. // // The Chrome sandbox prevents HANDLEs with the WRITE_DAC permission from being // duplicated into unprivileged processes. But the only way to copy file // permissions is with the parameter DUPLICATE_SAME_ACCESS. This means that // there is no way for a privileged process to duplicate a file mapping into an // unprivileged process while maintaining the previous file permissions. // // By removing all access control permissions of a file mapping immediately // after creation, ::DuplicateHandle() effectively only copies the file // permissions. HANDLE CreateFileMappingWithReducedPermissions(SECURITY_ATTRIBUTES* sa, size_t rounded_size, LPCWSTR name) { HANDLE h = CreateFileMapping(INVALID_HANDLE_VALUE, sa, PAGE_READWRITE, 0, static_cast(rounded_size), name); if (!h) { LogError(CREATE_FILE_MAPPING_FAILURE, GetLastError()); return nullptr; } HANDLE h2; BOOL success = ::DuplicateHandle( GetCurrentProcess(), h, GetCurrentProcess(), &h2, FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY, FALSE, 0); BOOL rv = ::CloseHandle(h); DCHECK(rv); if (!success) { LogError(REDUCE_PERMISSIONS_FAILURE, GetLastError()); return nullptr; } return h2; } } // namespace. namespace base { SharedMemory::SharedMemory() {} SharedMemory::SharedMemory(const string16& name) : name_(name) {} SharedMemory::SharedMemory(const SharedMemoryHandle& handle, bool read_only) : external_section_(true), shm_(handle), read_only_(read_only) {} SharedMemory::~SharedMemory() { Unmap(); Close(); } // static bool SharedMemory::IsHandleValid(const SharedMemoryHandle& handle) { return handle.IsValid(); } // static void SharedMemory::CloseHandle(const SharedMemoryHandle& handle) { handle.Close(); } // static size_t SharedMemory::GetHandleLimit() { // Rounded down from value reported here: // http://blogs.technet.com/b/markrussinovich/archive/2009/09/29/3283844.aspx return static_cast(1 << 23); } // static SharedMemoryHandle SharedMemory::DuplicateHandle( const SharedMemoryHandle& handle) { return handle.Duplicate(); } bool SharedMemory::CreateAndMapAnonymous(size_t size) { return CreateAnonymous(size) && Map(size); } bool SharedMemory::Create(const SharedMemoryCreateOptions& options) { // TODO(bsy,sehr): crbug.com/210609 NaCl forces us to round up 64k here, // wasting 32k per mapping on average. static const size_t kSectionMask = 65536 - 1; DCHECK(!options.executable); DCHECK(!shm_.IsValid()); if (options.size == 0) { LogError(SIZE_ZERO, 0); return false; } // Check maximum accounting for overflow. if (options.size > static_cast(std::numeric_limits::max()) - kSectionMask) { LogError(SIZE_TOO_LARGE, 0); return false; } size_t rounded_size = (options.size + kSectionMask) & ~kSectionMask; name_ = options.name_deprecated ? ASCIIToUTF16(*options.name_deprecated) : L""; SECURITY_ATTRIBUTES sa = { sizeof(sa), NULL, FALSE }; SECURITY_DESCRIPTOR sd; ACL dacl; if (name_.empty()) { // Add an empty DACL to enforce anonymous read-only sections. sa.lpSecurityDescriptor = &sd; if (!InitializeAcl(&dacl, sizeof(dacl), ACL_REVISION)) { LogError(INITIALIZE_ACL_FAILURE, GetLastError()); return false; } if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) { LogError(INITIALIZE_SECURITY_DESC_FAILURE, GetLastError()); return false; } if (!SetSecurityDescriptorDacl(&sd, TRUE, &dacl, FALSE)) { LogError(SET_SECURITY_DESC_FAILURE, GetLastError()); return false; } // Windows ignores DACLs on certain unnamed objects (like shared sections). // So, we generate a random name when we need to enforce read-only. uint64_t rand_values[4]; RandBytes(&rand_values, sizeof(rand_values)); name_ = StringPrintf(L"CrSharedMem_%016llx%016llx%016llx%016llx", rand_values[0], rand_values[1], rand_values[2], rand_values[3]); } DCHECK(!name_.empty()); shm_ = SharedMemoryHandle( CreateFileMappingWithReducedPermissions(&sa, rounded_size, name_.c_str()), rounded_size, UnguessableToken::Create()); if (!shm_.IsValid()) { // The error is logged within CreateFileMappingWithReducedPermissions(). return false; } requested_size_ = options.size; // Check if the shared memory pre-exists. if (GetLastError() == ERROR_ALREADY_EXISTS) { // If the file already existed, set requested_size_ to 0 to show that // we don't know the size. requested_size_ = 0; external_section_ = true; if (!options.open_existing_deprecated) { Close(); // From "if" above: GetLastError() == ERROR_ALREADY_EXISTS. LogError(ALREADY_EXISTS, ERROR_ALREADY_EXISTS); return false; } } LogError(SUCCESS, ERROR_SUCCESS); return true; } bool SharedMemory::Delete(const std::string& name) { // intentionally empty -- there is nothing for us to do on Windows. return true; } bool SharedMemory::Open(const std::string& name, bool read_only) { DCHECK(!shm_.IsValid()); DWORD access = FILE_MAP_READ | SECTION_QUERY; if (!read_only) access |= FILE_MAP_WRITE; name_ = ASCIIToUTF16(name); read_only_ = read_only; // This form of sharing shared memory is deprecated. https://crbug.com/345734. // However, we can't get rid of it without a significant refactor because its // used to communicate between two versions of the same service process, very // early in the life cycle. // Technically, we should also pass the GUID from the original shared memory // region. We don't do that - this means that we will overcount this memory, // which thankfully isn't relevant since Chrome only communicates with a // single version of the service process. // We pass the size |0|, which is a dummy size and wrong, but otherwise // harmless. shm_ = SharedMemoryHandle( OpenFileMapping(access, false, name_.empty() ? nullptr : name_.c_str()), 0u, UnguessableToken::Create()); if (!shm_.IsValid()) return false; // If a name specified assume it's an external section. if (!name_.empty()) external_section_ = true; // Note: size_ is not set in this case. return true; } bool SharedMemory::MapAt(off_t offset, size_t bytes) { if (!shm_.IsValid()) { DLOG(ERROR) << "Invalid SharedMemoryHandle."; return false; } if (bytes > static_cast(std::numeric_limits::max())) { DLOG(ERROR) << "Bytes required exceeds the 2G limitation."; return false; } if (memory_) { DLOG(ERROR) << "The SharedMemory has been mapped already."; return false; } if (external_section_ && !IsSectionSafeToMap(shm_.GetHandle())) { DLOG(ERROR) << "SharedMemoryHandle is not safe to be mapped."; return false; } memory_ = MapViewOfFile( shm_.GetHandle(), read_only_ ? FILE_MAP_READ : FILE_MAP_READ | FILE_MAP_WRITE, static_cast(offset) >> 32, static_cast(offset), bytes); if (memory_ != NULL) { DCHECK_EQ(0U, reinterpret_cast(memory_) & (SharedMemory::MAP_MINIMUM_ALIGNMENT - 1)); mapped_size_ = GetMemorySectionSize(memory_); mapped_id_ = shm_.GetGUID(); SharedMemoryTracker::GetInstance()->IncrementMemoryUsage(*this); return true; } DPLOG(ERROR) << "Failed executing MapViewOfFile"; return false; } bool SharedMemory::Unmap() { if (memory_ == NULL) return false; SharedMemoryTracker::GetInstance()->DecrementMemoryUsage(*this); UnmapViewOfFile(memory_); memory_ = NULL; mapped_id_ = UnguessableToken(); return true; } SharedMemoryHandle SharedMemory::GetReadOnlyHandle() { HANDLE result; ProcessHandle process = GetCurrentProcess(); if (!::DuplicateHandle(process, shm_.GetHandle(), process, &result, FILE_MAP_READ | SECTION_QUERY, FALSE, 0)) { return SharedMemoryHandle(); } SharedMemoryHandle handle = SharedMemoryHandle(result, shm_.GetSize(), shm_.GetGUID()); handle.SetOwnershipPassesToIPC(true); return handle; } void SharedMemory::Close() { if (shm_.IsValid()) { shm_.Close(); shm_ = SharedMemoryHandle(); } } SharedMemoryHandle SharedMemory::handle() const { return shm_; } SharedMemoryHandle SharedMemory::TakeHandle() { SharedMemoryHandle handle(shm_); handle.SetOwnershipPassesToIPC(true); shm_ = SharedMemoryHandle(); memory_ = nullptr; mapped_size_ = 0; return handle; } } // namespace base