From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- ipc/glue/Shmem.cpp | 458 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 458 insertions(+) create mode 100644 ipc/glue/Shmem.cpp (limited to 'ipc/glue/Shmem.cpp') diff --git a/ipc/glue/Shmem.cpp b/ipc/glue/Shmem.cpp new file mode 100644 index 0000000000..775d852faa --- /dev/null +++ b/ipc/glue/Shmem.cpp @@ -0,0 +1,458 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "Shmem.h" + +#include "ProtocolUtils.h" +#include "SharedMemoryBasic.h" +#include "ShmemMessageUtils.h" +#include "chrome/common/ipc_message_utils.h" +#include "mozilla/Unused.h" + +namespace mozilla { +namespace ipc { + +class ShmemCreated : public IPC::Message { + private: + typedef Shmem::id_t id_t; + + public: + ShmemCreated(int32_t routingId, id_t aIPDLId, size_t aSize) + : IPC::Message( + routingId, SHMEM_CREATED_MESSAGE_TYPE, 0, + HeaderFlags(NESTED_INSIDE_CPOW, CONTROL_PRIORITY, COMPRESSION_NONE, + LAZY_SEND, NOT_CONSTRUCTOR, ASYNC, NOT_REPLY)) { + MOZ_RELEASE_ASSERT(aSize < std::numeric_limits::max(), + "Tried to create Shmem with size larger than 4GB"); + IPC::MessageWriter writer(*this); + IPC::WriteParam(&writer, aIPDLId); + IPC::WriteParam(&writer, uint32_t(aSize)); + } + + static bool ReadInfo(IPC::MessageReader* aReader, id_t* aIPDLId, + size_t* aSize) { + uint32_t size = 0; + if (!IPC::ReadParam(aReader, aIPDLId) || !IPC::ReadParam(aReader, &size)) { + return false; + } + *aSize = size; + return true; + } + + void Log(const std::string& aPrefix, FILE* aOutf) const { + fputs("(special ShmemCreated msg)", aOutf); + } +}; + +class ShmemDestroyed : public IPC::Message { + private: + typedef Shmem::id_t id_t; + + public: + ShmemDestroyed(int32_t routingId, id_t aIPDLId) + : IPC::Message( + routingId, SHMEM_DESTROYED_MESSAGE_TYPE, 0, + HeaderFlags(NOT_NESTED, NORMAL_PRIORITY, COMPRESSION_NONE, + LAZY_SEND, NOT_CONSTRUCTOR, ASYNC, NOT_REPLY)) { + IPC::MessageWriter writer(*this); + IPC::WriteParam(&writer, aIPDLId); + } +}; + +static SharedMemory* NewSegment() { return new SharedMemoryBasic; } + +static already_AddRefed CreateSegment(size_t aNBytes, + size_t aExtraSize) { + RefPtr segment = NewSegment(); + if (!segment) { + return nullptr; + } + size_t size = SharedMemory::PageAlignedSize(aNBytes + aExtraSize); + if (!segment->Create(size) || !segment->Map(size)) { + return nullptr; + } + return segment.forget(); +} + +static already_AddRefed ReadSegment( + const IPC::Message& aDescriptor, Shmem::id_t* aId, size_t* aNBytes, + size_t aExtraSize) { + if (SHMEM_CREATED_MESSAGE_TYPE != aDescriptor.type()) { + NS_ERROR("expected 'shmem created' message"); + return nullptr; + } + IPC::MessageReader reader(aDescriptor); + if (!ShmemCreated::ReadInfo(&reader, aId, aNBytes)) { + return nullptr; + } + RefPtr segment = NewSegment(); + if (!segment) { + return nullptr; + } + if (!segment->ReadHandle(&reader)) { + NS_ERROR("trying to open invalid handle"); + return nullptr; + } + reader.EndRead(); + size_t size = SharedMemory::PageAlignedSize(*aNBytes + aExtraSize); + if (!segment->Map(size)) { + return nullptr; + } + // close the handle to the segment after it is mapped + segment->CloseHandle(); + return segment.forget(); +} + +static void DestroySegment(SharedMemory* aSegment) { + // the SharedMemory dtor closes and unmaps the actual OS shmem segment + if (aSegment) { + aSegment->Release(); + } +} + +#if defined(DEBUG) + +static const char sMagic[] = + "This little piggy went to market.\n" + "This little piggy stayed at home.\n" + "This little piggy has roast beef,\n" + "This little piggy had none.\n" + "And this little piggy cried \"Wee! Wee! Wee!\" all the way home"; + +struct Header { + // Don't use size_t or bool here because their size depends on the + // architecture. + uint32_t mSize; + uint32_t mUnsafe; + char mMagic[sizeof(sMagic)]; +}; + +static void GetSections(Shmem::SharedMemory* aSegment, Header** aHeader, + char** aFrontSentinel, char** aData, + char** aBackSentinel) { + MOZ_ASSERT(aSegment && aFrontSentinel && aData && aBackSentinel, + "null param(s)"); + + *aFrontSentinel = reinterpret_cast(aSegment->memory()); + MOZ_ASSERT(*aFrontSentinel, "null memory()"); + + *aHeader = reinterpret_cast(*aFrontSentinel); + + size_t pageSize = Shmem::SharedMemory::SystemPageSize(); + *aData = *aFrontSentinel + pageSize; + + *aBackSentinel = *aFrontSentinel + aSegment->Size() - pageSize; +} + +static Header* GetHeader(Shmem::SharedMemory* aSegment) { + Header* header; + char* dontcare; + GetSections(aSegment, &header, &dontcare, &dontcare, &dontcare); + return header; +} + +static void Protect(SharedMemory* aSegment) { + MOZ_ASSERT(aSegment, "null segment"); + aSegment->Protect(reinterpret_cast(aSegment->memory()), + aSegment->Size(), RightsNone); +} + +static void Unprotect(SharedMemory* aSegment) { + MOZ_ASSERT(aSegment, "null segment"); + aSegment->Protect(reinterpret_cast(aSegment->memory()), + aSegment->Size(), RightsRead | RightsWrite); +} + +// +// In debug builds, we specially allocate shmem segments. The layout +// is as follows +// +// Page 0: "front sentinel" +// size of mapping +// magic bytes +// Page 1 through n-1: +// user data +// Page n: "back sentinel" +// [nothing] +// +// The mapping can be in one of the following states, wrt to the +// current process. +// +// State "unmapped": all pages are mapped with no access rights. +// +// State "mapping": all pages are mapped with read/write access. +// +// State "mapped": the front and back sentinels are mapped with no +// access rights, and all the other pages are mapped with +// read/write access. +// +// When a SharedMemory segment is first allocated, it starts out in +// the "mapping" state for the process that allocates the segment, and +// in the "unmapped" state for the other process. The allocating +// process will then create a Shmem, which takes the segment into the +// "mapped" state, where it can be accessed by clients. +// +// When a Shmem is sent to another process in an IPDL message, the +// segment transitions into the "unmapped" state for the sending +// process, and into the "mapping" state for the receiving process. +// The receiving process will then create a Shmem from the underlying +// segment, and take the segment into the "mapped" state. +// +// In the "mapping" state, we use the front sentinel to verify the +// integrity of the shmem segment. If valid, it has a size_t +// containing the number of bytes the user allocated followed by the +// magic bytes above. +// +// In the "mapped" state, the front and back sentinels have no access +// rights. They act as guards against buffer overflows and underflows +// in client code; if clients touch a sentinel, they die with SIGSEGV. +// +// The "unmapped" state is used to enforce single-owner semantics of +// the shmem segment. If a process other than the current owner tries +// to touch the segment, it dies with SIGSEGV. +// + +Shmem::Shmem(SharedMemory* aSegment, id_t aId) + : mSegment(aSegment), mData(nullptr), mSize(0) { + MOZ_ASSERT(mSegment, "null segment"); + MOZ_ASSERT(aId != 0, "invalid ID"); + + Unprotect(mSegment); + + Header* header; + char* frontSentinel; + char* data; + char* backSentinel; + GetSections(aSegment, &header, &frontSentinel, &data, &backSentinel); + + // do a quick validity check to avoid weird-looking crashes in libc + char check = *frontSentinel; + (void)check; + + MOZ_ASSERT(!strncmp(header->mMagic, sMagic, sizeof(sMagic)), + "invalid segment"); + mSize = static_cast(header->mSize); + + size_t pageSize = SharedMemory::SystemPageSize(); + MOZ_ASSERT(mSegment->Size() - (2 * pageSize) >= mSize, + "illegal size in shared memory segment"); + + // transition into the "mapped" state by protecting the front and + // back sentinels (which guard against buffer under/overflows) + mSegment->Protect(frontSentinel, pageSize, RightsNone); + mSegment->Protect(backSentinel, pageSize, RightsNone); + + // don't set these until we know they're valid + mData = data; + mId = aId; +} + +void Shmem::AssertInvariants() const { + MOZ_ASSERT(mSegment, "null segment"); + MOZ_ASSERT(mData, "null data pointer"); + MOZ_ASSERT(mSize > 0, "invalid size"); + // if the segment isn't owned by the current process, these will + // trigger SIGSEGV + char checkMappingFront = *reinterpret_cast(mData); + char checkMappingBack = *(reinterpret_cast(mData) + mSize - 1); + + // avoid "unused" warnings for these variables: + Unused << checkMappingFront; + Unused << checkMappingBack; +} + +void Shmem::RevokeRights() { + AssertInvariants(); + + size_t pageSize = SharedMemory::SystemPageSize(); + Header* header = GetHeader(mSegment); + + // Open this up for reading temporarily + mSegment->Protect(reinterpret_cast(header), pageSize, RightsRead); + + if (!header->mUnsafe) { + Protect(mSegment); + } else { + mSegment->Protect(reinterpret_cast(header), pageSize, RightsNone); + } +} + +// static +already_AddRefed Shmem::Alloc(size_t aNBytes, bool aUnsafe, + bool aProtect) { + NS_ASSERTION(aNBytes <= UINT32_MAX, "Will truncate shmem segment size!"); + MOZ_ASSERT(!aProtect || !aUnsafe, "protect => !unsafe"); + + size_t pageSize = SharedMemory::SystemPageSize(); + // |2*pageSize| is for the front and back sentinel + RefPtr segment = CreateSegment(aNBytes, 2 * pageSize); + if (!segment) { + return nullptr; + } + + Header* header; + char* frontSentinel; + char* data; + char* backSentinel; + GetSections(segment, &header, &frontSentinel, &data, &backSentinel); + + // initialize the segment with Shmem-internal information + + // NB: this can't be a static assert because technically pageSize + // isn't known at compile time, event though in practice it's always + // going to be 4KiB + MOZ_ASSERT(sizeof(Header) <= pageSize, "Shmem::Header has gotten too big"); + memcpy(header->mMagic, sMagic, sizeof(sMagic)); + header->mSize = static_cast(aNBytes); + header->mUnsafe = aUnsafe; + + if (aProtect) Protect(segment); + + return segment.forget(); +} + +// static +already_AddRefed Shmem::OpenExisting( + const IPC::Message& aDescriptor, id_t* aId, bool aProtect) { + size_t size; + size_t pageSize = SharedMemory::SystemPageSize(); + // |2*pageSize| is for the front and back sentinels + RefPtr segment = + ReadSegment(aDescriptor, aId, &size, 2 * pageSize); + if (!segment) { + return nullptr; + } + + Header* header = GetHeader(segment); + + if (size != header->mSize) { + // Deallocation should zero out the header, so check for that. + if (header->mSize || header->mUnsafe || header->mMagic[0] || + memcmp(header->mMagic, &header->mMagic[1], + sizeof(header->mMagic) - 1)) { + NS_ERROR("Wrong size for this Shmem!"); + } else { + NS_WARNING("Shmem was deallocated"); + } + return nullptr; + } + + // The caller of this function may not know whether the segment is + // unsafe or not + if (!header->mUnsafe && aProtect) Protect(segment); + + return segment.forget(); +} + +// static +void Shmem::Dealloc(SharedMemory* aSegment) { + if (!aSegment) return; + + size_t pageSize = SharedMemory::SystemPageSize(); + Header* header; + char* frontSentinel; + char* data; + char* backSentinel; + GetSections(aSegment, &header, &frontSentinel, &data, &backSentinel); + + aSegment->Protect(frontSentinel, pageSize, RightsWrite | RightsRead); + memset(header->mMagic, 0, sizeof(sMagic)); + header->mSize = 0; + header->mUnsafe = false; // make it "safe" so as to catch errors + + DestroySegment(aSegment); +} + +#else // !defined(DEBUG) + +Shmem::Shmem(SharedMemory* aSegment, id_t aId) + : mSegment(aSegment), mData(aSegment->memory()), mSize(0), mId(aId) { + mSize = static_cast(*PtrToSize(mSegment)); + MOZ_RELEASE_ASSERT(mSegment->Size() - sizeof(uint32_t) >= mSize, + "illegal size in shared memory segment"); +} + +// static +already_AddRefed Shmem::Alloc(size_t aNBytes, + bool /*unused*/, + bool /*unused*/) { + RefPtr segment = CreateSegment(aNBytes, sizeof(uint32_t)); + if (!segment) { + return nullptr; + } + + *PtrToSize(segment) = static_cast(aNBytes); + + return segment.forget(); +} + +// static +already_AddRefed Shmem::OpenExisting( + const IPC::Message& aDescriptor, id_t* aId, bool /*unused*/) { + size_t size; + RefPtr segment = + ReadSegment(aDescriptor, aId, &size, sizeof(uint32_t)); + if (!segment) { + return nullptr; + } + + // this is the only validity check done in non-DEBUG builds + if (size != static_cast(*PtrToSize(segment))) { + return nullptr; + } + + return segment.forget(); +} + +// static +void Shmem::Dealloc(SharedMemory* aSegment) { DestroySegment(aSegment); } + +#endif // if defined(DEBUG) + +UniquePtr Shmem::MkCreatedMessage(int32_t routingId) { + AssertInvariants(); + + auto msg = MakeUnique(routingId, mId, mSize); + IPC::MessageWriter writer(*msg); + if (!mSegment->WriteHandle(&writer)) { + return nullptr; + } + // close the handle to the segment after it is shared + mSegment->CloseHandle(); + return msg; +} + +UniquePtr Shmem::MkDestroyedMessage(int32_t routingId) { + AssertInvariants(); + return MakeUnique(routingId, mId); +} + +void IPDLParamTraits::Write(IPC::MessageWriter* aWriter, + IProtocol* aActor, Shmem&& aParam) { + WriteIPDLParam(aWriter, aActor, aParam.mId); + + aParam.RevokeRights(); + aParam.forget(); +} + +bool IPDLParamTraits::Read(IPC::MessageReader* aReader, + IProtocol* aActor, paramType* aResult) { + paramType::id_t id; + if (!ReadIPDLParam(aReader, aActor, &id)) { + return false; + } + + Shmem::SharedMemory* rawmem = aActor->LookupSharedMemory(id); + if (rawmem) { + *aResult = Shmem(rawmem, id); + return true; + } + *aResult = Shmem(); + return true; +} + +} // namespace ipc +} // namespace mozilla -- cgit v1.2.3