1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "components/nacl/loader/nacl_listener.h"
6
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <stdlib.h>
10 #include <string.h>
11
12 #include <memory>
13 #include <utility>
14
15 #include "base/functional/bind.h"
16 #include "base/memory/raw_ptr.h"
17 #include "base/task/single_thread_task_runner.h"
18 #include "build/build_config.h"
19
20 #if BUILDFLAG(IS_POSIX)
21 #include <unistd.h>
22 #endif
23
24 #include "base/command_line.h"
25 #include "base/logging.h"
26 #include "base/memory/read_only_shared_memory_region.h"
27 #include "base/message_loop/message_pump_type.h"
28 #include "base/rand_util.h"
29 #include "base/run_loop.h"
30 #include "base/synchronization/waitable_event.h"
31 #include "base/task/single_thread_task_runner.h"
32 #include "components/nacl/common/nacl.mojom.h"
33 #include "components/nacl/common/nacl_messages.h"
34 #include "components/nacl/common/nacl_service.h"
35 #include "components/nacl/common/nacl_switches.h"
36 #include "components/nacl/loader/nacl_ipc_adapter.h"
37 #include "components/nacl/loader/nacl_validation_db.h"
38 #include "components/nacl/loader/nacl_validation_query.h"
39 #include "ipc/ipc_channel_handle.h"
40 #include "ipc/ipc_sync_channel.h"
41 #include "ipc/ipc_sync_message_filter.h"
42 #include "mojo/public/cpp/bindings/pending_remote.h"
43 #include "native_client/src/public/chrome_main.h"
44 #include "native_client/src/public/nacl_app.h"
45 #include "native_client/src/public/nacl_desc.h"
46
47 #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
48 #include "content/public/common/zygote/sandbox_support_linux.h"
49 #endif
50
51 #if BUILDFLAG(IS_POSIX)
52 #include "base/posix/eintr_wrapper.h"
53 #endif
54
55 #if BUILDFLAG(IS_WIN)
56 #include <io.h>
57 #endif
58
59 namespace {
60
61 NaClListener* g_listener;
62
FatalLogHandler(const char * data,size_t bytes)63 void FatalLogHandler(const char* data, size_t bytes) {
64 // We use uint32_t rather than size_t for the case when the browser and NaCl
65 // processes are a mix of 32-bit and 64-bit processes.
66 uint32_t copy_bytes = std::min<uint32_t>(static_cast<uint32_t>(bytes),
67 nacl::kNaClCrashInfoMaxLogSize);
68
69 // We copy the length of the crash data to the start of the shared memory
70 // segment so we know how much to copy.
71 memcpy(g_listener->crash_info_shmem_memory(), ©_bytes, sizeof(uint32_t));
72
73 memcpy((char*)g_listener->crash_info_shmem_memory() + sizeof(uint32_t),
74 data,
75 copy_bytes);
76 }
77
LoadStatusCallback(int load_status)78 void LoadStatusCallback(int load_status) {
79 g_listener->trusted_listener()->renderer_host()->ReportLoadStatus(
80 static_cast<NaClErrorCode>(load_status));
81 }
82
83 #if BUILDFLAG(IS_WIN)
AttachDebugExceptionHandler(const void * info,size_t info_size)84 int AttachDebugExceptionHandler(const void* info, size_t info_size) {
85 std::string info_string(reinterpret_cast<const char*>(info), info_size);
86 bool result = false;
87 if (!g_listener->Send(new NaClProcessMsg_AttachDebugExceptionHandler(
88 info_string, &result)))
89 return false;
90 return result;
91 }
92
DebugStubPortSelectedHandler(uint16_t port)93 void DebugStubPortSelectedHandler(uint16_t port) {
94 g_listener->Send(new NaClProcessHostMsg_DebugStubPortSelected(port));
95 }
96
97 #endif
98
99 // Creates the PPAPI IPC channel between the NaCl IRT and the host
100 // (browser/renderer) process, and starts to listen it on the thread where
101 // the given task runner runs.
102 // Also, creates and sets the corresponding NaClDesc to the given nap with
103 // the FD #.
SetUpIPCAdapter(IPC::ChannelHandle * handle,scoped_refptr<base::SingleThreadTaskRunner> task_runner,struct NaClApp * nap,int nacl_fd,NaClIPCAdapter::ResolveFileTokenCallback resolve_file_token_cb,NaClIPCAdapter::OpenResourceCallback open_resource_cb)104 void SetUpIPCAdapter(
105 IPC::ChannelHandle* handle,
106 scoped_refptr<base::SingleThreadTaskRunner> task_runner,
107 struct NaClApp* nap,
108 int nacl_fd,
109 NaClIPCAdapter::ResolveFileTokenCallback resolve_file_token_cb,
110 NaClIPCAdapter::OpenResourceCallback open_resource_cb) {
111 mojo::MessagePipe pipe;
112 scoped_refptr<NaClIPCAdapter> ipc_adapter(new NaClIPCAdapter(
113 pipe.handle0.release(), task_runner, std::move(resolve_file_token_cb),
114 std::move(open_resource_cb)));
115 ipc_adapter->ConnectChannel();
116 *handle = pipe.handle1.release();
117
118 // Pass a NaClDesc to the untrusted side. This will hold a ref to the
119 // NaClIPCAdapter.
120 NaClAppSetDesc(nap, nacl_fd, ipc_adapter->MakeNaClDesc());
121 }
122
123 } // namespace
124
125 class BrowserValidationDBProxy : public NaClValidationDB {
126 public:
BrowserValidationDBProxy(NaClListener * listener)127 explicit BrowserValidationDBProxy(NaClListener* listener)
128 : listener_(listener) {
129 }
130
QueryKnownToValidate(const std::string & signature)131 bool QueryKnownToValidate(const std::string& signature) override {
132 // Initialize to false so that if the Send fails to write to the return
133 // value we're safe. For example if the message is (for some reason)
134 // dispatched as an async message the return parameter will not be written.
135 bool result = false;
136 if (!listener_->Send(new NaClProcessMsg_QueryKnownToValidate(signature,
137 &result))) {
138 LOG(ERROR) << "Failed to query NaCl validation cache.";
139 result = false;
140 }
141 return result;
142 }
143
SetKnownToValidate(const std::string & signature)144 void SetKnownToValidate(const std::string& signature) override {
145 // Caching is optional: NaCl will still work correctly if the IPC fails.
146 if (!listener_->Send(new NaClProcessMsg_SetKnownToValidate(signature))) {
147 LOG(ERROR) << "Failed to update NaCl validation cache.";
148 }
149 }
150
151 private:
152 // The listener never dies, otherwise this might be a dangling reference.
153 raw_ptr<NaClListener> listener_;
154 };
155
NaClListener()156 NaClListener::NaClListener()
157 : shutdown_event_(base::WaitableEvent::ResetPolicy::MANUAL,
158 base::WaitableEvent::InitialState::NOT_SIGNALED),
159 io_thread_("NaCl_IOThread"),
160 #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
161 prereserved_sandbox_size_(0),
162 #endif
163 #if BUILDFLAG(IS_POSIX)
164 number_of_cores_(-1), // unknown/error
165 #endif
166 is_started_(false) {
167 io_thread_.StartWithOptions(
168 base::Thread::Options(base::MessagePumpType::IO, 0));
169 DCHECK(g_listener == NULL);
170 g_listener = this;
171 }
172
~NaClListener()173 NaClListener::~NaClListener() {
174 NOTREACHED();
175 shutdown_event_.Signal();
176 g_listener = NULL;
177 }
178
Send(IPC::Message * msg)179 bool NaClListener::Send(IPC::Message* msg) {
180 DCHECK(!!main_task_runner_);
181 if (main_task_runner_->BelongsToCurrentThread()) {
182 // This thread owns the channel.
183 return channel_->Send(msg);
184 }
185 // This thread does not own the channel.
186 return filter_->Send(msg);
187 }
188
189 // The NaClProcessMsg_ResolveFileTokenAsyncReply message must be
190 // processed in a MessageFilter so it can be handled on the IO thread.
191 // The main thread used by NaClListener is busy in
192 // NaClChromeMainAppStart(), so it can't be used for servicing messages.
193 class FileTokenMessageFilter : public IPC::MessageFilter {
194 public:
OnMessageReceived(const IPC::Message & msg)195 bool OnMessageReceived(const IPC::Message& msg) override {
196 bool handled = true;
197 IPC_BEGIN_MESSAGE_MAP(FileTokenMessageFilter, msg)
198 IPC_MESSAGE_HANDLER(NaClProcessMsg_ResolveFileTokenReply,
199 OnResolveFileTokenReply)
200 IPC_MESSAGE_UNHANDLED(handled = false)
201 IPC_END_MESSAGE_MAP()
202 return handled;
203 }
204
OnResolveFileTokenReply(uint64_t token_lo,uint64_t token_hi,IPC::PlatformFileForTransit ipc_fd,base::FilePath file_path)205 void OnResolveFileTokenReply(
206 uint64_t token_lo,
207 uint64_t token_hi,
208 IPC::PlatformFileForTransit ipc_fd,
209 base::FilePath file_path) {
210 CHECK(g_listener);
211 g_listener->OnFileTokenResolved(token_lo, token_hi, ipc_fd, file_path);
212 }
213 private:
~FileTokenMessageFilter()214 ~FileTokenMessageFilter() override {}
215 };
216
Listen()217 void NaClListener::Listen() {
218 NaClService service(io_thread_.task_runner());
219 channel_ = IPC::SyncChannel::Create(
220 this, io_thread_.task_runner().get(),
221 base::SingleThreadTaskRunner::GetCurrentDefault(), &shutdown_event_);
222 filter_ = channel_->CreateSyncMessageFilter();
223 channel_->AddFilter(new FileTokenMessageFilter());
224 channel_->Init(service.TakeChannelPipe().release(), IPC::Channel::MODE_CLIENT,
225 true);
226 main_task_runner_ = base::SingleThreadTaskRunner::GetCurrentDefault();
227 base::RunLoop().Run();
228 }
229
230 #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
231 // static
MakeSharedMemorySegment(size_t length,int executable)232 int NaClListener::MakeSharedMemorySegment(size_t length, int executable) {
233 return content::SharedMemoryIPCSupport::MakeSharedMemorySegment(length,
234 executable);
235 }
236 #endif
237
OnMessageReceived(const IPC::Message & msg)238 bool NaClListener::OnMessageReceived(const IPC::Message& msg) {
239 bool handled = true;
240 IPC_BEGIN_MESSAGE_MAP(NaClListener, msg)
241 IPC_MESSAGE_HANDLER(NaClProcessMsg_AddPrefetchedResource,
242 OnAddPrefetchedResource)
243 IPC_MESSAGE_HANDLER(NaClProcessMsg_Start, OnStart)
244 IPC_MESSAGE_UNHANDLED(handled = false)
245 IPC_END_MESSAGE_MAP()
246 return handled;
247 }
248
OnOpenResource(const IPC::Message & msg,const std::string & key,NaClIPCAdapter::OpenResourceReplyCallback cb)249 bool NaClListener::OnOpenResource(
250 const IPC::Message& msg,
251 const std::string& key,
252 NaClIPCAdapter::OpenResourceReplyCallback cb) {
253 // This callback is executed only on |io_thread_| with NaClIPCAdapter's
254 // |lock_| not being held.
255 DCHECK(!cb.is_null());
256 auto it = prefetched_resource_files_.find(key);
257
258 if (it != prefetched_resource_files_.end()) {
259 // Fast path for prefetched FDs.
260 IPC::PlatformFileForTransit file = it->second.first;
261 base::FilePath path = it->second.second;
262 prefetched_resource_files_.erase(it);
263 // A pre-opened resource descriptor is available. Run the reply callback
264 // and return true.
265 std::move(cb).Run(msg, file, path);
266 return true;
267 }
268
269 // Return false to fall back to the slow path. Let NaClIPCAdapter issue an
270 // IPC to the renderer.
271 return false;
272 }
273
OnAddPrefetchedResource(const nacl::NaClResourcePrefetchResult & prefetched_resource_file)274 void NaClListener::OnAddPrefetchedResource(
275 const nacl::NaClResourcePrefetchResult& prefetched_resource_file) {
276 DCHECK(!is_started_);
277 if (is_started_)
278 return;
279 bool result = prefetched_resource_files_.insert(std::make_pair(
280 prefetched_resource_file.file_key,
281 std::make_pair(
282 prefetched_resource_file.file,
283 prefetched_resource_file.file_path_metadata))).second;
284 if (!result) {
285 LOG(FATAL) << "Duplicated open_resource key: "
286 << prefetched_resource_file.file_key;
287 }
288 }
289
OnStart(nacl::NaClStartParams params)290 void NaClListener::OnStart(nacl::NaClStartParams params) {
291 is_started_ = true;
292 #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_APPLE)
293 int urandom_fd = HANDLE_EINTR(dup(base::GetUrandomFD()));
294 if (urandom_fd < 0) {
295 LOG(FATAL) << "Failed to dup() the urandom FD";
296 }
297 NaClChromeMainSetUrandomFd(urandom_fd);
298 #endif
299 struct NaClApp* nap = NULL;
300 NaClChromeMainInit();
301
302 CHECK(params.crash_info_shmem_region.IsValid());
303 crash_info_shmem_mapping_ = params.crash_info_shmem_region.Map();
304 base::ReadOnlySharedMemoryRegion ro_shmem_region =
305 base::WritableSharedMemoryRegion::ConvertToReadOnly(
306 std::move(params.crash_info_shmem_region));
307 CHECK(crash_info_shmem_mapping_.IsValid());
308 CHECK(ro_shmem_region.IsValid());
309 NaClSetFatalErrorCallback(&FatalLogHandler);
310
311 nap = NaClAppCreate();
312 if (nap == NULL) {
313 LOG(FATAL) << "NaClAppCreate() failed";
314 }
315
316 IPC::ChannelHandle browser_handle;
317 IPC::ChannelHandle ppapi_renderer_handle;
318 IPC::ChannelHandle manifest_service_handle;
319
320 // Create the PPAPI IPC channels between the NaCl IRT and the host
321 // (browser/renderer) processes. The IRT uses these channels to
322 // communicate with the host and to initialize the IPC dispatchers.
323 SetUpIPCAdapter(&browser_handle, io_thread_.task_runner(), nap,
324 NACL_CHROME_DESC_BASE,
325 NaClIPCAdapter::ResolveFileTokenCallback(),
326 NaClIPCAdapter::OpenResourceCallback());
327 SetUpIPCAdapter(&ppapi_renderer_handle, io_thread_.task_runner(), nap,
328 NACL_CHROME_DESC_BASE + 1,
329 NaClIPCAdapter::ResolveFileTokenCallback(),
330 NaClIPCAdapter::OpenResourceCallback());
331 SetUpIPCAdapter(&manifest_service_handle, io_thread_.task_runner(), nap,
332 NACL_CHROME_DESC_BASE + 2,
333 base::BindRepeating(&NaClListener::ResolveFileToken,
334 base::Unretained(this)),
335 base::BindRepeating(&NaClListener::OnOpenResource,
336 base::Unretained(this)));
337
338 mojo::PendingRemote<nacl::mojom::NaClRendererHost> renderer_host;
339 if (!Send(new NaClProcessHostMsg_PpapiChannelsCreated(
340 browser_handle, ppapi_renderer_handle,
341 renderer_host.InitWithNewPipeAndPassReceiver().PassPipe().release(),
342 manifest_service_handle, ro_shmem_region)))
343 LOG(FATAL) << "Failed to send IPC channel handle to NaClProcessHost.";
344
345 trusted_listener_ = std::make_unique<NaClTrustedListener>(
346 std::move(renderer_host), io_thread_.task_runner().get());
347 struct NaClChromeMainArgs* args = NaClChromeMainArgsCreate();
348 if (args == NULL) {
349 LOG(FATAL) << "NaClChromeMainArgsCreate() failed";
350 }
351
352 #if BUILDFLAG(IS_POSIX)
353 args->number_of_cores = number_of_cores_;
354 #endif
355
356 #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
357 args->create_memory_object_func = &MakeSharedMemorySegment;
358 #endif
359
360 DCHECK(params.process_type != nacl::kUnknownNaClProcessType);
361 CHECK(params.irt_handle != IPC::InvalidPlatformFileForTransit());
362 base::PlatformFile irt_handle =
363 IPC::PlatformFileForTransitToPlatformFile(params.irt_handle);
364
365 #if BUILDFLAG(IS_WIN)
366 args->irt_fd = _open_osfhandle(reinterpret_cast<intptr_t>(irt_handle),
367 _O_RDONLY | _O_BINARY);
368 if (args->irt_fd < 0) {
369 LOG(FATAL) << "_open_osfhandle() failed";
370 }
371 #else
372 args->irt_fd = irt_handle;
373 #endif
374
375 if (params.validation_cache_enabled) {
376 // SHA256 block size.
377 CHECK_EQ(params.validation_cache_key.length(), (size_t) 64);
378 // The cache structure is not freed and exists until the NaCl process exits.
379 args->validation_cache = CreateValidationCache(
380 new BrowserValidationDBProxy(this), params.validation_cache_key,
381 params.version);
382 }
383
384 args->enable_debug_stub = params.enable_debug_stub;
385
386 // Now configure parts that depend on process type.
387 // Start with stricter settings.
388 args->enable_exception_handling = 0;
389 args->enable_dyncode_syscalls = 0;
390 // pnacl_mode=1 mostly disables things (IRT interfaces and syscalls).
391 args->pnacl_mode = 1;
392 // Bound the initial nexe's code segment size under PNaCl to reduce the
393 // chance of a code spraying attack succeeding (see
394 // https://code.google.com/p/nativeclient/issues/detail?id=3572).
395 // We can't apply this arbitrary limit outside of PNaCl because it might
396 // break existing NaCl apps, and this limit is only useful if the dyncode
397 // syscalls are disabled.
398 args->initial_nexe_max_code_bytes = 64 << 20; // 64 MB.
399
400 if (params.process_type == nacl::kNativeNaClProcessType) {
401 args->enable_exception_handling = 1;
402 args->enable_dyncode_syscalls = 1;
403 args->pnacl_mode = 0;
404 args->initial_nexe_max_code_bytes = 0;
405 } else if (params.process_type == nacl::kPNaClTranslatorProcessType) {
406 args->pnacl_mode = 0;
407 }
408
409 #if BUILDFLAG(IS_POSIX)
410 args->debug_stub_server_bound_socket_fd =
411 IPC::PlatformFileForTransitToPlatformFile(
412 params.debug_stub_server_bound_socket);
413 #endif
414 #if BUILDFLAG(IS_WIN)
415 args->attach_debug_exception_handler_func = AttachDebugExceptionHandler;
416 args->debug_stub_server_port_selected_handler_func =
417 DebugStubPortSelectedHandler;
418 #endif
419 args->load_status_handler_func = LoadStatusCallback;
420 #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
421 args->prereserved_sandbox_size = prereserved_sandbox_size_;
422 #endif
423
424 base::PlatformFile nexe_file = IPC::PlatformFileForTransitToPlatformFile(
425 params.nexe_file);
426 std::string file_path_str = params.nexe_file_path_metadata.AsUTF8Unsafe();
427 args->nexe_desc = NaClDescCreateWithFilePathMetadata(nexe_file,
428 file_path_str.c_str());
429
430 int exit_status;
431 if (!NaClChromeMainStart(nap, args, &exit_status))
432 NaClExit(1);
433
434 // Report the plugin's exit status if the application started successfully.
435 trusted_listener_->renderer_host()->ReportExitStatus(exit_status);
436 NaClExit(exit_status);
437 }
438
ResolveFileToken(uint64_t token_lo,uint64_t token_hi,NaClIPCAdapter::ResolveFileTokenReplyCallback cb)439 void NaClListener::ResolveFileToken(
440 uint64_t token_lo,
441 uint64_t token_hi,
442 NaClIPCAdapter::ResolveFileTokenReplyCallback cb) {
443 if (!Send(new NaClProcessMsg_ResolveFileToken(token_lo, token_hi))) {
444 std::move(cb).Run(IPC::PlatformFileForTransit(), base::FilePath());
445 return;
446 }
447 resolved_cb_ = std::move(cb);
448 }
449
OnFileTokenResolved(uint64_t token_lo,uint64_t token_hi,IPC::PlatformFileForTransit ipc_fd,base::FilePath file_path)450 void NaClListener::OnFileTokenResolved(
451 uint64_t token_lo,
452 uint64_t token_hi,
453 IPC::PlatformFileForTransit ipc_fd,
454 base::FilePath file_path) {
455 if (resolved_cb_)
456 std::move(resolved_cb_).Run(ipc_fd, file_path);
457 }
458