Don't preload rarely seen large images
[chromium-blink-merge.git] / components / nacl / loader / nacl_listener.cc
blobdefd931e654e9abc9d5ba8fd60042d9adaef8628
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "components/nacl/loader/nacl_listener.h"
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <stdlib.h>
10 #include <string.h>
12 #if defined(OS_POSIX)
13 #include <unistd.h>
14 #endif
16 #include "base/command_line.h"
17 #include "base/logging.h"
18 #include "base/memory/scoped_ptr.h"
19 #include "base/rand_util.h"
20 #include "base/single_thread_task_runner.h"
21 #include "components/nacl/common/nacl_messages.h"
22 #include "components/nacl/common/nacl_renderer_messages.h"
23 #include "components/nacl/common/nacl_switches.h"
24 #include "components/nacl/loader/nacl_ipc_adapter.h"
25 #include "components/nacl/loader/nacl_validation_db.h"
26 #include "components/nacl/loader/nacl_validation_query.h"
27 #include "ipc/ipc_channel_handle.h"
28 #include "ipc/ipc_switches.h"
29 #include "ipc/ipc_sync_channel.h"
30 #include "ipc/ipc_sync_message_filter.h"
31 #include "native_client/src/public/chrome_main.h"
32 #include "native_client/src/public/nacl_app.h"
33 #include "native_client/src/public/nacl_desc.h"
35 #if defined(OS_POSIX)
36 #include "base/file_descriptor_posix.h"
37 #endif
39 #if defined(OS_LINUX)
40 #include "content/public/common/child_process_sandbox_support_linux.h"
41 #endif
43 #if defined(OS_WIN)
44 #include <io.h>
46 #include "content/public/common/sandbox_init.h"
47 #endif
49 namespace {
51 NaClListener* g_listener;
53 void FatalLogHandler(const char* data, size_t bytes) {
54 // We use uint32_t rather than size_t for the case when the browser and NaCl
55 // processes are a mix of 32-bit and 64-bit processes.
56 uint32_t copy_bytes = std::min<uint32_t>(static_cast<uint32_t>(bytes),
57 nacl::kNaClCrashInfoMaxLogSize);
59 // We copy the length of the crash data to the start of the shared memory
60 // segment so we know how much to copy.
61 memcpy(g_listener->crash_info_shmem_memory(), &copy_bytes, sizeof(uint32_t));
63 memcpy((char*)g_listener->crash_info_shmem_memory() + sizeof(uint32_t),
64 data,
65 copy_bytes);
68 void LoadStatusCallback(int load_status) {
69 g_listener->trusted_listener()->Send(
70 new NaClRendererMsg_ReportLoadStatus(
71 static_cast<NaClErrorCode>(load_status)));
74 #if defined(OS_MACOSX)
76 // On Mac OS X, shm_open() works in the sandbox but does not give us
77 // an FD that we can map as PROT_EXEC. Rather than doing an IPC to
78 // get an executable SHM region when CreateMemoryObject() is called,
79 // we preallocate one on startup, since NaCl's sel_ldr only needs one
80 // of them. This saves a round trip.
82 base::subtle::Atomic32 g_shm_fd = -1;
84 int CreateMemoryObject(size_t size, int executable) {
85 if (executable && size > 0) {
86 int result_fd = base::subtle::NoBarrier_AtomicExchange(&g_shm_fd, -1);
87 if (result_fd != -1) {
88 // ftruncate() is disallowed by the Mac OS X sandbox and
89 // returns EPERM. Luckily, we can get the same effect with
90 // lseek() + write().
91 if (lseek(result_fd, size - 1, SEEK_SET) == -1) {
92 LOG(ERROR) << "lseek() failed: " << errno;
93 return -1;
95 if (write(result_fd, "", 1) != 1) {
96 LOG(ERROR) << "write() failed: " << errno;
97 return -1;
99 return result_fd;
102 // Fall back to NaCl's default implementation.
103 return -1;
106 #elif defined(OS_LINUX)
108 int CreateMemoryObject(size_t size, int executable) {
109 return content::MakeSharedMemorySegmentViaIPC(size, executable);
112 #elif defined(OS_WIN)
113 // We wrap the function to convert the bool return value to an int.
114 int BrokerDuplicateHandle(NaClHandle source_handle,
115 uint32_t process_id,
116 NaClHandle* target_handle,
117 uint32_t desired_access,
118 uint32_t options) {
119 return content::BrokerDuplicateHandle(source_handle, process_id,
120 target_handle, desired_access,
121 options);
124 int AttachDebugExceptionHandler(const void* info, size_t info_size) {
125 std::string info_string(reinterpret_cast<const char*>(info), info_size);
126 bool result = false;
127 if (!g_listener->Send(new NaClProcessMsg_AttachDebugExceptionHandler(
128 info_string, &result)))
129 return false;
130 return result;
133 void DebugStubPortSelectedHandler(uint16_t port) {
134 g_listener->Send(new NaClProcessHostMsg_DebugStubPortSelected(port));
137 #endif
139 // Creates the PPAPI IPC channel between the NaCl IRT and the host
140 // (browser/renderer) process, and starts to listen it on the thread where
141 // the given message_loop_proxy runs.
142 // Also, creates and sets the corresponding NaClDesc to the given nap with
143 // the FD #.
144 void SetUpIPCAdapter(
145 IPC::ChannelHandle* handle,
146 scoped_refptr<base::SingleThreadTaskRunner> task_runner,
147 struct NaClApp* nap,
148 int nacl_fd,
149 NaClIPCAdapter::ResolveFileTokenCallback resolve_file_token_cb,
150 NaClIPCAdapter::OpenResourceCallback open_resource_cb) {
151 scoped_refptr<NaClIPCAdapter> ipc_adapter(new NaClIPCAdapter(
152 *handle, task_runner.get(), resolve_file_token_cb, open_resource_cb));
153 ipc_adapter->ConnectChannel();
154 #if defined(OS_POSIX)
155 handle->socket =
156 base::FileDescriptor(ipc_adapter->TakeClientFileDescriptor());
157 #endif
159 // Pass a NaClDesc to the untrusted side. This will hold a ref to the
160 // NaClIPCAdapter.
161 NaClAppSetDesc(nap, nacl_fd, ipc_adapter->MakeNaClDesc());
164 } // namespace
166 class BrowserValidationDBProxy : public NaClValidationDB {
167 public:
168 explicit BrowserValidationDBProxy(NaClListener* listener)
169 : listener_(listener) {
172 bool QueryKnownToValidate(const std::string& signature) override {
173 // Initialize to false so that if the Send fails to write to the return
174 // value we're safe. For example if the message is (for some reason)
175 // dispatched as an async message the return parameter will not be written.
176 bool result = false;
177 if (!listener_->Send(new NaClProcessMsg_QueryKnownToValidate(signature,
178 &result))) {
179 LOG(ERROR) << "Failed to query NaCl validation cache.";
180 result = false;
182 return result;
185 void SetKnownToValidate(const std::string& signature) override {
186 // Caching is optional: NaCl will still work correctly if the IPC fails.
187 if (!listener_->Send(new NaClProcessMsg_SetKnownToValidate(signature))) {
188 LOG(ERROR) << "Failed to update NaCl validation cache.";
192 private:
193 // The listener never dies, otherwise this might be a dangling reference.
194 NaClListener* listener_;
198 NaClListener::NaClListener() : shutdown_event_(true, false),
199 io_thread_("NaCl_IOThread"),
200 #if defined(OS_LINUX)
201 prereserved_sandbox_size_(0),
202 #endif
203 #if defined(OS_POSIX)
204 number_of_cores_(-1), // unknown/error
205 #endif
206 main_loop_(NULL),
207 is_started_(false) {
208 io_thread_.StartWithOptions(
209 base::Thread::Options(base::MessageLoop::TYPE_IO, 0));
210 DCHECK(g_listener == NULL);
211 g_listener = this;
214 NaClListener::~NaClListener() {
215 NOTREACHED();
216 shutdown_event_.Signal();
217 g_listener = NULL;
220 bool NaClListener::Send(IPC::Message* msg) {
221 DCHECK(main_loop_ != NULL);
222 if (base::MessageLoop::current() == main_loop_) {
223 // This thread owns the channel.
224 return channel_->Send(msg);
225 } else {
226 // This thread does not own the channel.
227 return filter_->Send(msg);
231 // The NaClProcessMsg_ResolveFileTokenAsyncReply message must be
232 // processed in a MessageFilter so it can be handled on the IO thread.
233 // The main thread used by NaClListener is busy in
234 // NaClChromeMainAppStart(), so it can't be used for servicing messages.
235 class FileTokenMessageFilter : public IPC::MessageFilter {
236 public:
237 bool OnMessageReceived(const IPC::Message& msg) override {
238 bool handled = true;
239 IPC_BEGIN_MESSAGE_MAP(FileTokenMessageFilter, msg)
240 IPC_MESSAGE_HANDLER(NaClProcessMsg_ResolveFileTokenReply,
241 OnResolveFileTokenReply)
242 IPC_MESSAGE_UNHANDLED(handled = false)
243 IPC_END_MESSAGE_MAP()
244 return handled;
247 void OnResolveFileTokenReply(
248 uint64_t token_lo,
249 uint64_t token_hi,
250 IPC::PlatformFileForTransit ipc_fd,
251 base::FilePath file_path) {
252 CHECK(g_listener);
253 g_listener->OnFileTokenResolved(token_lo, token_hi, ipc_fd, file_path);
255 private:
256 ~FileTokenMessageFilter() override {}
259 void NaClListener::Listen() {
260 std::string channel_name =
261 base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
262 switches::kProcessChannelID);
263 channel_ = IPC::SyncChannel::Create(this, io_thread_.task_runner().get(),
264 &shutdown_event_);
265 filter_ = new IPC::SyncMessageFilter(&shutdown_event_);
266 channel_->AddFilter(filter_.get());
267 channel_->AddFilter(new FileTokenMessageFilter());
268 channel_->Init(channel_name, IPC::Channel::MODE_CLIENT, true);
269 main_loop_ = base::MessageLoop::current();
270 main_loop_->Run();
273 bool NaClListener::OnMessageReceived(const IPC::Message& msg) {
274 bool handled = true;
275 IPC_BEGIN_MESSAGE_MAP(NaClListener, msg)
276 IPC_MESSAGE_HANDLER(NaClProcessMsg_AddPrefetchedResource,
277 OnAddPrefetchedResource)
278 IPC_MESSAGE_HANDLER(NaClProcessMsg_Start, OnStart)
279 IPC_MESSAGE_UNHANDLED(handled = false)
280 IPC_END_MESSAGE_MAP()
281 return handled;
284 bool NaClListener::OnOpenResource(
285 const IPC::Message& msg,
286 const std::string& key,
287 NaClIPCAdapter::OpenResourceReplyCallback cb) {
288 // This callback is executed only on |io_thread_| with NaClIPCAdapter's
289 // |lock_| not being held.
290 DCHECK(!cb.is_null());
291 PrefetchedResourceFilesMap::iterator it =
292 prefetched_resource_files_.find(key);
294 if (it != prefetched_resource_files_.end()) {
295 // Fast path for prefetched FDs.
296 IPC::PlatformFileForTransit file = it->second.first;
297 base::FilePath path = it->second.second;
298 prefetched_resource_files_.erase(it);
299 // A pre-opened resource descriptor is available. Run the reply callback
300 // and return true.
301 cb.Run(msg, file, path);
302 return true;
305 // Return false to fall back to the slow path. Let NaClIPCAdapter issue an
306 // IPC to the renderer.
307 return false;
310 void NaClListener::OnAddPrefetchedResource(
311 const nacl::NaClResourcePrefetchResult& prefetched_resource_file) {
312 DCHECK(!is_started_);
313 if (is_started_)
314 return;
315 bool result = prefetched_resource_files_.insert(std::make_pair(
316 prefetched_resource_file.file_key,
317 std::make_pair(
318 prefetched_resource_file.file,
319 prefetched_resource_file.file_path_metadata))).second;
320 if (!result) {
321 LOG(FATAL) << "Duplicated open_resource key: "
322 << prefetched_resource_file.file_key;
326 void NaClListener::OnStart(const nacl::NaClStartParams& params) {
327 is_started_ = true;
328 #if defined(OS_LINUX) || defined(OS_MACOSX)
329 int urandom_fd = dup(base::GetUrandomFD());
330 if (urandom_fd < 0) {
331 LOG(FATAL) << "Failed to dup() the urandom FD";
333 NaClChromeMainSetUrandomFd(urandom_fd);
334 #endif
335 struct NaClApp* nap = NULL;
336 NaClChromeMainInit();
338 CHECK(base::SharedMemory::IsHandleValid(params.crash_info_shmem_handle));
339 crash_info_shmem_.reset(new base::SharedMemory(
340 params.crash_info_shmem_handle, false /* not readonly */));
341 CHECK(crash_info_shmem_->Map(nacl::kNaClCrashInfoShmemSize));
342 NaClSetFatalErrorCallback(&FatalLogHandler);
344 nap = NaClAppCreate();
345 if (nap == NULL) {
346 LOG(FATAL) << "NaClAppCreate() failed";
349 IPC::ChannelHandle browser_handle;
350 IPC::ChannelHandle ppapi_renderer_handle;
351 IPC::ChannelHandle manifest_service_handle;
353 if (params.enable_ipc_proxy) {
354 browser_handle = IPC::Channel::GenerateVerifiedChannelID("nacl");
355 ppapi_renderer_handle = IPC::Channel::GenerateVerifiedChannelID("nacl");
356 manifest_service_handle = IPC::Channel::GenerateVerifiedChannelID("nacl");
358 // Create the PPAPI IPC channels between the NaCl IRT and the host
359 // (browser/renderer) processes. The IRT uses these channels to
360 // communicate with the host and to initialize the IPC dispatchers.
361 SetUpIPCAdapter(&browser_handle, io_thread_.task_runner(), nap,
362 NACL_CHROME_DESC_BASE,
363 NaClIPCAdapter::ResolveFileTokenCallback(),
364 NaClIPCAdapter::OpenResourceCallback());
365 SetUpIPCAdapter(&ppapi_renderer_handle, io_thread_.task_runner(), nap,
366 NACL_CHROME_DESC_BASE + 1,
367 NaClIPCAdapter::ResolveFileTokenCallback(),
368 NaClIPCAdapter::OpenResourceCallback());
369 SetUpIPCAdapter(
370 &manifest_service_handle, io_thread_.task_runner(), nap,
371 NACL_CHROME_DESC_BASE + 2,
372 base::Bind(&NaClListener::ResolveFileToken, base::Unretained(this)),
373 base::Bind(&NaClListener::OnOpenResource, base::Unretained(this)));
376 trusted_listener_ =
377 new NaClTrustedListener(IPC::Channel::GenerateVerifiedChannelID("nacl"),
378 io_thread_.task_runner().get(), &shutdown_event_);
379 if (!Send(new NaClProcessHostMsg_PpapiChannelsCreated(
380 browser_handle,
381 ppapi_renderer_handle,
382 trusted_listener_->TakeClientChannelHandle(),
383 manifest_service_handle)))
384 LOG(FATAL) << "Failed to send IPC channel handle to NaClProcessHost.";
386 struct NaClChromeMainArgs* args = NaClChromeMainArgsCreate();
387 if (args == NULL) {
388 LOG(FATAL) << "NaClChromeMainArgsCreate() failed";
391 #if defined(OS_LINUX) || defined(OS_MACOSX)
392 args->number_of_cores = number_of_cores_;
393 args->create_memory_object_func = CreateMemoryObject;
394 # if defined(OS_MACOSX)
395 CHECK(params.mac_shm_fd != IPC::InvalidPlatformFileForTransit());
396 g_shm_fd = IPC::PlatformFileForTransitToPlatformFile(params.mac_shm_fd);
397 # endif
398 #endif
400 DCHECK(params.process_type != nacl::kUnknownNaClProcessType);
401 CHECK(params.irt_handle != IPC::InvalidPlatformFileForTransit());
402 NaClHandle irt_handle =
403 IPC::PlatformFileForTransitToPlatformFile(params.irt_handle);
405 #if defined(OS_WIN)
406 args->irt_fd = _open_osfhandle(reinterpret_cast<intptr_t>(irt_handle),
407 _O_RDONLY | _O_BINARY);
408 if (args->irt_fd < 0) {
409 LOG(FATAL) << "_open_osfhandle() failed";
411 #else
412 args->irt_fd = irt_handle;
413 #endif
415 if (params.validation_cache_enabled) {
416 // SHA256 block size.
417 CHECK_EQ(params.validation_cache_key.length(), (size_t) 64);
418 // The cache structure is not freed and exists until the NaCl process exits.
419 args->validation_cache = CreateValidationCache(
420 new BrowserValidationDBProxy(this), params.validation_cache_key,
421 params.version);
424 CHECK(params.imc_bootstrap_handle != IPC::InvalidPlatformFileForTransit());
425 args->imc_bootstrap_handle =
426 IPC::PlatformFileForTransitToPlatformFile(params.imc_bootstrap_handle);
427 args->enable_debug_stub = params.enable_debug_stub;
429 // Now configure parts that depend on process type.
430 // Start with stricter settings.
431 args->enable_exception_handling = 0;
432 args->enable_dyncode_syscalls = 0;
433 // pnacl_mode=1 mostly disables things (IRT interfaces and syscalls).
434 args->pnacl_mode = 1;
435 // Bound the initial nexe's code segment size under PNaCl to reduce the
436 // chance of a code spraying attack succeeding (see
437 // https://code.google.com/p/nativeclient/issues/detail?id=3572).
438 // We can't apply this arbitrary limit outside of PNaCl because it might
439 // break existing NaCl apps, and this limit is only useful if the dyncode
440 // syscalls are disabled.
441 args->initial_nexe_max_code_bytes = 64 << 20; // 64 MB.
443 if (params.process_type == nacl::kNativeNaClProcessType) {
444 args->enable_exception_handling = 1;
445 args->enable_dyncode_syscalls = 1;
446 args->pnacl_mode = 0;
447 args->initial_nexe_max_code_bytes = 0;
448 } else if (params.process_type == nacl::kPNaClTranslatorProcessType) {
449 // Transitioning the PNaCl translators to use the IRT again:
450 // https://code.google.com/p/nativeclient/issues/detail?id=3914.
451 // Once done, this can be removed.
452 args->irt_load_optional = 1;
453 args->pnacl_mode = 0;
456 #if defined(OS_POSIX)
457 args->debug_stub_server_bound_socket_fd =
458 IPC::PlatformFileForTransitToPlatformFile(
459 params.debug_stub_server_bound_socket);
460 #endif
461 #if defined(OS_WIN)
462 args->broker_duplicate_handle_func = BrokerDuplicateHandle;
463 args->attach_debug_exception_handler_func = AttachDebugExceptionHandler;
464 args->debug_stub_server_port_selected_handler_func =
465 DebugStubPortSelectedHandler;
466 #endif
467 args->load_status_handler_func = LoadStatusCallback;
468 #if defined(OS_LINUX)
469 args->prereserved_sandbox_size = prereserved_sandbox_size_;
470 #endif
472 base::PlatformFile nexe_file = IPC::PlatformFileForTransitToPlatformFile(
473 params.nexe_file);
474 std::string file_path_str = params.nexe_file_path_metadata.AsUTF8Unsafe();
475 args->nexe_desc = NaClDescCreateWithFilePathMetadata(nexe_file,
476 file_path_str.c_str());
478 int exit_status;
479 if (!NaClChromeMainStart(nap, args, &exit_status))
480 NaClExit(1);
482 // Report the plugin's exit status if the application started successfully.
483 trusted_listener_->Send(new NaClRendererMsg_ReportExitStatus(exit_status));
484 NaClExit(exit_status);
487 void NaClListener::ResolveFileToken(
488 uint64_t token_lo,
489 uint64_t token_hi,
490 base::Callback<void(IPC::PlatformFileForTransit, base::FilePath)> cb) {
491 if (!Send(new NaClProcessMsg_ResolveFileToken(token_lo, token_hi))) {
492 cb.Run(IPC::PlatformFileForTransit(), base::FilePath());
493 return;
495 resolved_cb_ = cb;
498 void NaClListener::OnFileTokenResolved(
499 uint64_t token_lo,
500 uint64_t token_hi,
501 IPC::PlatformFileForTransit ipc_fd,
502 base::FilePath file_path) {
503 resolved_cb_.Run(ipc_fd, file_path);
504 resolved_cb_.Reset();