// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "base/files/memory_mapped_file.h" #include #include #include #include #include #include #include "base/files/file_path.h" #include "base/logging.h" #include "base/numerics/checked_math.h" #include "base/numerics/safe_conversions.h" #include "base/threading/scoped_blocking_call.h" #include "base/win/pe_image.h" namespace base { MemoryMappedFile::MemoryMappedFile() = default; bool MemoryMappedFile::MapImageToMemory(Access access) { ScopedBlockingCall scoped_blocking_call(FROM_HERE, BlockingType::MAY_BLOCK); // The arguments to the calls of ::CreateFile(), ::CreateFileMapping(), and // ::MapViewOfFile() need to be self consistent as far as access rights and // type of mapping or one or more of them will fail in non-obvious ways. if (!file_.IsValid()) return false; file_mapping_.Set(::CreateFileMapping(file_.GetPlatformFile(), nullptr, PAGE_READONLY | SEC_IMAGE_NO_EXECUTE, 0, 0, NULL)); if (!file_mapping_.is_valid()) return false; auto* ptr = static_cast( ::MapViewOfFile(file_mapping_.get(), FILE_MAP_READ, 0, 0, 0)); if (!ptr) { return false; } // We need to know how large the mapped file is. base::win::PEImage pe_image(ptr); size_t len = pe_image.GetNTHeaders()->OptionalHeader.SizeOfImage; if (len == 0u) { // Consistent cross-platform behaviour, an empty `bytes_` indicates nothing // is mapped. return false; } // SAFETY: The `len` is the size of the image at `ptr`. bytes_ = UNSAFE_BUFFERS(base::span(ptr, len)); return true; } bool MemoryMappedFile::MapFileRegionToMemory( const MemoryMappedFile::Region& region, Access access) { ScopedBlockingCall scoped_blocking_call(FROM_HERE, BlockingType::MAY_BLOCK); DCHECK(access != READ_CODE_IMAGE || region == Region::kWholeFile); if (!file_.IsValid()) return false; DWORD view_access; DWORD flags = 0; ULARGE_INTEGER size = {}; switch (access) { case READ_ONLY: flags |= PAGE_READONLY; view_access = FILE_MAP_READ; break; case READ_WRITE: flags |= PAGE_READWRITE; view_access = FILE_MAP_WRITE; break; case READ_WRITE_COPY: flags |= PAGE_WRITECOPY; view_access = FILE_MAP_COPY; break; case READ_WRITE_EXTEND: flags |= PAGE_READWRITE; view_access = FILE_MAP_WRITE; size.QuadPart = region.size; break; case READ_CODE_IMAGE: return MapImageToMemory(access); } file_mapping_.Set(::CreateFileMapping(file_.GetPlatformFile(), NULL, flags, size.HighPart, size.LowPart, NULL)); if (!file_mapping_.is_valid()) return false; ULARGE_INTEGER map_start = {}; SIZE_T map_size = 0u; int32_t data_offset = 0; size_t byte_size = 0u; if (region == MemoryMappedFile::Region::kWholeFile) { DCHECK_NE(READ_WRITE_EXTEND, access); int64_t file_len = file_.GetLength(); if (file_len <= 0 || !IsValueInRangeForNumericType(file_len)) { return false; } byte_size = base::checked_cast(file_len); } else { // The region can be arbitrarily aligned. MapViewOfFile, instead, requires // that the start address is aligned to the VM granularity (which is // typically larger than a page size, for instance 32k). // Also, conversely to POSIX's mmap, the |map_size| doesn't have to be // aligned and must be less than or equal the mapped file size. // We map here the outer region [|aligned_start|, |aligned_start+size|] // which contains |region| and then add up the |data_offset| displacement. int64_t aligned_start = 0; size_t ignored = 0u; CalculateVMAlignedBoundaries(region.offset, region.size, &aligned_start, &ignored, &data_offset); base::CheckedNumeric full_map_size = region.size; full_map_size += data_offset; // Ensure that the casts below in the MapViewOfFile call are sane. if (aligned_start < 0 || !full_map_size.IsValid()) { DLOG(ERROR) << "Region bounds are not valid for MapViewOfFile"; return false; } map_start.QuadPart = static_cast(aligned_start); map_size = full_map_size.ValueOrDie(); byte_size = region.size; if (map_size == 0u) { // Consistent cross-platform behaviour, an empty `bytes_` indicates // nothing is mapped. return false; } } auto* ptr = static_cast( ::MapViewOfFile(file_mapping_.get(), view_access, map_start.HighPart, map_start.LowPart, map_size)); if (ptr == nullptr) { return false; } // SAFETY: For the span construction to be valid, `ptr` needs to point to at // least `data_size + byte_size` many bytes. The MapViewOfFile() will return a // pointer of `map_size` bytes, unless it's 0 in which case it returns a // pointer to all bytes in the file after the offset. // // If the mapping is of the whole file, `map_size == 0`, so `file_len` bytes // are mapped. `byte_size == file_len` and `data_offset == 0`, so // `data_offset + byte_size <= file_len` is trivially satisfied. // // If the mapping is a sub-range of the file, `map_size > 0` and `map_size` // many bytes are mapped: // - `aligned_start` is page aligned and <= `start`. // - `map_size` is a multiple of the VM granularity and >= // `byte_size`. // - `data_offset` is the displacement of `start` w.r.t `aligned_start`. // |..................|xxxxxxxxxxxxxxxxxx|.................| // ^ aligned start ^ start | | // ^------------------^ data_offset | | // ^------------------^ byte_size | // ^-------------------------------------------------------^ map_size // // The `data_offset` undoes the alignment of start. The `map_size` contains // the padding before and after the mapped region to satisfy alignment. So // the `data_offset + byte_size <= map_size`. bytes_ = UNSAFE_BUFFERS(base::span(ptr + data_offset, byte_size)); return true; } void MemoryMappedFile::CloseHandles() { if (!bytes_.empty()) { ::UnmapViewOfFile(bytes_.data()); } if (file_mapping_.is_valid()) file_mapping_.Close(); if (file_.IsValid()) file_.Close(); bytes_ = base::span(); } } // namespace base