blob: cf06dd39c762329e97fd8a2434e2613b7a165cf6 [file] [log] [blame]
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "base/memory/shared_memory.h"
#include <aclapi.h>
#include <stddef.h>
#include <stdint.h>
#include "base/allocator/partition_allocator/page_allocator.h"
#include "base/logging.h"
#include "base/memory/shared_memory_tracker.h"
#include "base/metrics/histogram_functions.h"
#include "base/metrics/histogram_macros.h"
#include "base/rand_util.h"
#include "base/strings/stringprintf.h"
#include "base/strings/utf_string_conversions.h"
#include "base/unguessable_token.h"
namespace base {
namespace {
// Errors that can occur during Shared Memory construction.
// These match tools/metrics/histograms/histograms.xml.
// This enum is append-only.
enum CreateError {
SUCCESS = 0,
SIZE_ZERO = 1,
SIZE_TOO_LARGE = 2,
INITIALIZE_ACL_FAILURE = 3,
INITIALIZE_SECURITY_DESC_FAILURE = 4,
SET_SECURITY_DESC_FAILURE = 5,
CREATE_FILE_MAPPING_FAILURE = 6,
REDUCE_PERMISSIONS_FAILURE = 7,
ALREADY_EXISTS = 8,
CREATE_ERROR_LAST = ALREADY_EXISTS
};
// Emits UMA metrics about encountered errors. Pass zero (0) for |winerror|
// if there is no associated Windows error.
void LogError(CreateError error, DWORD winerror) {
UMA_HISTOGRAM_ENUMERATION("SharedMemory.CreateError", error,
CREATE_ERROR_LAST + 1);
static_assert(ERROR_SUCCESS == 0, "Windows error code changed!");
if (winerror != ERROR_SUCCESS)
UmaHistogramSparse("SharedMemory.CreateWinError", winerror);
}
typedef enum _SECTION_INFORMATION_CLASS {
SectionBasicInformation,
} SECTION_INFORMATION_CLASS;
typedef struct _SECTION_BASIC_INFORMATION {
PVOID BaseAddress;
ULONG Attributes;
LARGE_INTEGER Size;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
typedef ULONG(__stdcall* NtQuerySectionType)(
HANDLE SectionHandle,
SECTION_INFORMATION_CLASS SectionInformationClass,
PVOID SectionInformation,
ULONG SectionInformationLength,
PULONG ResultLength);
// Returns the length of the memory section starting at the supplied address.
size_t GetMemorySectionSize(void* address) {
MEMORY_BASIC_INFORMATION memory_info;
if (!::VirtualQuery(address, &memory_info, sizeof(memory_info)))
return 0;
return memory_info.RegionSize - (static_cast<char*>(address) -
static_cast<char*>(memory_info.AllocationBase));
}
// Checks if the section object is safe to map. At the moment this just means
// it's not an image section.
bool IsSectionSafeToMap(HANDLE handle) {
static NtQuerySectionType nt_query_section_func;
if (!nt_query_section_func) {
nt_query_section_func = reinterpret_cast<NtQuerySectionType>(
::GetProcAddress(::GetModuleHandle(L"ntdll.dll"), "NtQuerySection"));
DCHECK(nt_query_section_func);
}
// The handle must have SECTION_QUERY access for this to succeed.
SECTION_BASIC_INFORMATION basic_information = {};
ULONG status =
nt_query_section_func(handle, SectionBasicInformation, &basic_information,
sizeof(basic_information), nullptr);
if (status)
return false;
return (basic_information.Attributes & SEC_IMAGE) != SEC_IMAGE;
}
// Returns a HANDLE on success and |nullptr| on failure.
// This function is similar to CreateFileMapping, but removes the permissions
// WRITE_DAC, WRITE_OWNER, READ_CONTROL, and DELETE.
//
// A newly created file mapping has two sets of permissions. It has access
// control permissions (WRITE_DAC, WRITE_OWNER, READ_CONTROL, and DELETE) and
// file permissions (FILE_MAP_READ, FILE_MAP_WRITE, etc.). ::DuplicateHandle()
// with the parameter DUPLICATE_SAME_ACCESS copies both sets of permissions.
//
// The Chrome sandbox prevents HANDLEs with the WRITE_DAC permission from being
// duplicated into unprivileged processes. But the only way to copy file
// permissions is with the parameter DUPLICATE_SAME_ACCESS. This means that
// there is no way for a privileged process to duplicate a file mapping into an
// unprivileged process while maintaining the previous file permissions.
//
// By removing all access control permissions of a file mapping immediately
// after creation, ::DuplicateHandle() effectively only copies the file
// permissions.
HANDLE CreateFileMappingWithReducedPermissions(SECURITY_ATTRIBUTES* sa,
size_t rounded_size,
LPCWSTR name) {
HANDLE h = CreateFileMapping(INVALID_HANDLE_VALUE, sa, PAGE_READWRITE, 0,
static_cast<DWORD>(rounded_size), name);
if (!h) {
LogError(CREATE_FILE_MAPPING_FAILURE, GetLastError());
return nullptr;
}
HANDLE h2;
BOOL success = ::DuplicateHandle(
GetCurrentProcess(), h, GetCurrentProcess(), &h2,
FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY, FALSE, 0);
BOOL rv = ::CloseHandle(h);
DCHECK(rv);
if (!success) {
LogError(REDUCE_PERMISSIONS_FAILURE, GetLastError());
return nullptr;
}
return h2;
}
} // namespace.
SharedMemory::SharedMemory() {}
SharedMemory::SharedMemory(const string16& name) : name_(name) {}
SharedMemory::SharedMemory(const SharedMemoryHandle& handle, bool read_only)
: external_section_(true), shm_(handle), read_only_(read_only) {}
SharedMemory::~SharedMemory() {
Unmap();
Close();
}
// static
bool SharedMemory::IsHandleValid(const SharedMemoryHandle& handle) {
return handle.IsValid();
}
// static
void SharedMemory::CloseHandle(const SharedMemoryHandle& handle) {
handle.Close();
}
// static
size_t SharedMemory::GetHandleLimit() {
// Rounded down from value reported here:
// http://blogs.technet.com/b/markrussinovich/archive/2009/09/29/3283844.aspx
return static_cast<size_t>(1 << 23);
}
// static
SharedMemoryHandle SharedMemory::DuplicateHandle(
const SharedMemoryHandle& handle) {
return handle.Duplicate();
}
bool SharedMemory::CreateAndMapAnonymous(size_t size) {
return CreateAnonymous(size) && Map(size);
}
bool SharedMemory::Create(const SharedMemoryCreateOptions& options) {
// TODO(crbug.com/210609): NaCl forces us to round up 64k here, wasting 32k
// per mapping on average.
static const size_t kSectionMask = 65536 - 1;
DCHECK(!options.executable);
DCHECK(!shm_.IsValid());
if (options.size == 0) {
LogError(SIZE_ZERO, 0);
return false;
}
// Check maximum accounting for overflow.
if (options.size >
static_cast<size_t>(std::numeric_limits<int>::max()) - kSectionMask) {
LogError(SIZE_TOO_LARGE, 0);
return false;
}
size_t rounded_size = (options.size + kSectionMask) & ~kSectionMask;
name_ = options.name_deprecated ?
ASCIIToUTF16(*options.name_deprecated) : L"";
SECURITY_ATTRIBUTES sa = {sizeof(sa), nullptr, FALSE};
SECURITY_DESCRIPTOR sd;
ACL dacl;
if (name_.empty()) {
// Add an empty DACL to enforce anonymous read-only sections.
sa.lpSecurityDescriptor = &sd;
if (!InitializeAcl(&dacl, sizeof(dacl), ACL_REVISION)) {
LogError(INITIALIZE_ACL_FAILURE, GetLastError());
return false;
}
if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) {
LogError(INITIALIZE_SECURITY_DESC_FAILURE, GetLastError());
return false;
}
if (!SetSecurityDescriptorDacl(&sd, TRUE, &dacl, FALSE)) {
LogError(SET_SECURITY_DESC_FAILURE, GetLastError());
return false;
}
// Windows ignores DACLs on certain unnamed objects (like shared sections).
// So, we generate a random name when we need to enforce read-only.
uint64_t rand_values[4];
RandBytes(&rand_values, sizeof(rand_values));
name_ = StringPrintf(L"CrSharedMem_%016llx%016llx%016llx%016llx",
rand_values[0], rand_values[1],
rand_values[2], rand_values[3]);
}
DCHECK(!name_.empty());
shm_ = SharedMemoryHandle(
CreateFileMappingWithReducedPermissions(&sa, rounded_size, name_.c_str()),
rounded_size, UnguessableToken::Create());
if (!shm_.IsValid()) {
// The error is logged within CreateFileMappingWithReducedPermissions().
return false;
}
requested_size_ = options.size;
// Check if the shared memory pre-exists.
if (GetLastError() == ERROR_ALREADY_EXISTS) {
// If the file already existed, set requested_size_ to 0 to show that
// we don't know the size.
requested_size_ = 0;
external_section_ = true;
if (!options.open_existing_deprecated) {
Close();
// From "if" above: GetLastError() == ERROR_ALREADY_EXISTS.
LogError(ALREADY_EXISTS, ERROR_ALREADY_EXISTS);
return false;
}
}
LogError(SUCCESS, ERROR_SUCCESS);
return true;
}
bool SharedMemory::Delete(const std::string& name) {
// intentionally empty -- there is nothing for us to do on Windows.
return true;
}
bool SharedMemory::Open(const std::string& name, bool read_only) {
DCHECK(!shm_.IsValid());
DWORD access = FILE_MAP_READ | SECTION_QUERY;
if (!read_only)
access |= FILE_MAP_WRITE;
name_ = ASCIIToUTF16(name);
read_only_ = read_only;
// This form of sharing shared memory is deprecated. https://crbug.com/345734.
// However, we can't get rid of it without a significant refactor because its
// used to communicate between two versions of the same service process, very
// early in the life cycle.
// Technically, we should also pass the GUID from the original shared memory
// region. We don't do that - this means that we will overcount this memory,
// which thankfully isn't relevant since Chrome only communicates with a
// single version of the service process.
// We pass the size |0|, which is a dummy size and wrong, but otherwise
// harmless.
shm_ = SharedMemoryHandle(
OpenFileMapping(access, false, name_.empty() ? nullptr : name_.c_str()),
0u, UnguessableToken::Create());
if (!shm_.IsValid())
return false;
// If a name specified assume it's an external section.
if (!name_.empty())
external_section_ = true;
// Note: size_ is not set in this case.
return true;
}
bool SharedMemory::MapAt(off_t offset, size_t bytes) {
if (!shm_.IsValid()) {
DLOG(ERROR) << "Invalid SharedMemoryHandle.";
return false;
}
if (bytes > static_cast<size_t>(std::numeric_limits<int>::max())) {
DLOG(ERROR) << "Bytes required exceeds the 2G limitation.";
return false;
}
if (memory_) {
DLOG(ERROR) << "The SharedMemory has been mapped already.";
return false;
}
if (external_section_ && !IsSectionSafeToMap(shm_.GetHandle())) {
DLOG(ERROR) << "SharedMemoryHandle is not safe to be mapped.";
return false;
}
// Try to map the shared memory. On the first failure, release any reserved
// address space for a single retry.
for (int i = 0; i < 2; ++i) {
memory_ = MapViewOfFile(
shm_.GetHandle(),
read_only_ ? FILE_MAP_READ : FILE_MAP_READ | FILE_MAP_WRITE,
static_cast<uint64_t>(offset) >> 32, static_cast<DWORD>(offset), bytes);
if (memory_)
break;
ReleaseReservation();
}
if (!memory_) {
DPLOG(ERROR) << "Failed executing MapViewOfFile";
return false;
}
DCHECK_EQ(0U, reinterpret_cast<uintptr_t>(memory_) &
(SharedMemory::MAP_MINIMUM_ALIGNMENT - 1));
mapped_size_ = GetMemorySectionSize(memory_);
mapped_id_ = shm_.GetGUID();
SharedMemoryTracker::GetInstance()->IncrementMemoryUsage(*this);
return true;
}
bool SharedMemory::Unmap() {
if (!memory_)
return false;
SharedMemoryTracker::GetInstance()->DecrementMemoryUsage(*this);
UnmapViewOfFile(memory_);
memory_ = nullptr;
mapped_id_ = UnguessableToken();
return true;
}
SharedMemoryHandle SharedMemory::GetReadOnlyHandle() const {
HANDLE result;
ProcessHandle process = GetCurrentProcess();
if (!::DuplicateHandle(process, shm_.GetHandle(), process, &result,
FILE_MAP_READ | SECTION_QUERY, FALSE, 0)) {
return SharedMemoryHandle();
}
SharedMemoryHandle handle =
SharedMemoryHandle(result, shm_.GetSize(), shm_.GetGUID());
handle.SetOwnershipPassesToIPC(true);
return handle;
}
void SharedMemory::Close() {
if (shm_.IsValid()) {
shm_.Close();
shm_ = SharedMemoryHandle();
}
}
SharedMemoryHandle SharedMemory::handle() const {
return shm_;
}
SharedMemoryHandle SharedMemory::TakeHandle() {
SharedMemoryHandle handle(shm_);
handle.SetOwnershipPassesToIPC(true);
Unmap();
shm_ = SharedMemoryHandle();
return handle;
}
} // namespace base