sandbox/win/src/crosscall_server.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include <string>
   6 #include <vector>
   7
   8 #include "sandbox/win/src/crosscall_server.h"
   9 #include "sandbox/win/src/crosscall_params.h"
  10 #include "sandbox/win/src/crosscall_client.h"
  11 #include "base/logging.h"
  12
  13 // This code performs the ipc message validation. Potential security flaws
  14 // on the ipc are likelier to be found in this code than in the rest of
  15 // the ipc code.
  16
  17 namespace {
  18
  19 // The buffer for a message must match the max channel size.
  20 const size_t kMaxBufferSize = sandbox::kIPCChannelSize;
  21
  22 }
  23
  24 namespace sandbox {
  25
  26 // Returns the actual size for the parameters in an IPC buffer. Returns
  27 // zero if the |param_count| is zero or too big.
  28 uint32 GetActualBufferSize(uint32 param_count, void* buffer_base) {
  29   // The template types are used to calculate the maximum expected size.
  30   typedef ActualCallParams<1, kMaxBufferSize> ActualCP1;
  31   typedef ActualCallParams<2, kMaxBufferSize> ActualCP2;
  32   typedef ActualCallParams<3, kMaxBufferSize> ActualCP3;
  33   typedef ActualCallParams<4, kMaxBufferSize> ActualCP4;
  34   typedef ActualCallParams<5, kMaxBufferSize> ActualCP5;
  35   typedef ActualCallParams<6, kMaxBufferSize> ActualCP6;
  36   typedef ActualCallParams<7, kMaxBufferSize> ActualCP7;
  37   typedef ActualCallParams<8, kMaxBufferSize> ActualCP8;
  38   typedef ActualCallParams<9, kMaxBufferSize> ActualCP9;
  39
  40   // Retrieve the actual size and the maximum size of the params buffer.
  41   switch (param_count) {
  42     case 0:
  43       return 0;
  44     case 1:
  45       return reinterpret_cast<ActualCP1*>(buffer_base)->GetSize();
  46     case 2:
  47       return reinterpret_cast<ActualCP2*>(buffer_base)->GetSize();
  48     case 3:
  49       return reinterpret_cast<ActualCP3*>(buffer_base)->GetSize();
  50     case 4:
  51       return reinterpret_cast<ActualCP4*>(buffer_base)->GetSize();
  52     case 5:
  53       return reinterpret_cast<ActualCP5*>(buffer_base)->GetSize();
  54     case 6:
  55       return reinterpret_cast<ActualCP6*>(buffer_base)->GetSize();
  56     case 7:
  57       return reinterpret_cast<ActualCP7*>(buffer_base)->GetSize();
  58     case 8:
  59       return reinterpret_cast<ActualCP8*>(buffer_base)->GetSize();
  60     case 9:
  61       return reinterpret_cast<ActualCP9*>(buffer_base)->GetSize();
  62     default:
  63       return 0;
  64   }
  65 }
  66
  67 // Verifies that the declared sizes of an IPC buffer are within range.
  68 bool IsSizeWithinRange(uint32 buffer_size, uint32 min_declared_size,
  69                        uint32 declared_size) {
  70   if ((buffer_size < min_declared_size) ||
  71       (sizeof(CrossCallParamsEx) > min_declared_size)) {
  72     // Minimal computed size bigger than existing buffer or param_count
  73     // integer overflow.
  74     return false;
  75   }
  76
  77   if ((declared_size > buffer_size) || (declared_size < min_declared_size)) {
  78     // Declared size is bigger than buffer or smaller than computed size
  79     // or param_count is equal to 0 or bigger than 9.
  80     return false;
  81   }
  82
  83   return true;
  84 }
  85
  86 CrossCallParamsEx::CrossCallParamsEx()
  87   :CrossCallParams(0, 0) {
  88 }
  89
  90 // We override the delete operator because the object's backing memory
  91 // is hand allocated in CreateFromBuffer. We don't override the new operator
  92 // because the constructors are private so there is no way to mismatch
  93 // new & delete.
  94 void CrossCallParamsEx::operator delete(void* raw_memory) throw() {
  95   if (NULL == raw_memory) {
  96     // C++ standard allows 'delete 0' behavior.
  97     return;
  98   }
  99   delete[] reinterpret_cast<char*>(raw_memory);
 100 }
 101
 102 // This function uses a SEH try block so cannot use C++ objects that
 103 // have destructors or else you get Compiler Error C2712. So no DCHECKs
 104 // inside this function.
 105 CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base,
 106                                                        uint32 buffer_size,
 107                                                        uint32* output_size) {
 108   // IMPORTANT: Everything inside buffer_base and derived from it such
 109   // as param_count and declared_size is untrusted.
 110   if (NULL == buffer_base) {
 111     return NULL;
 112   }
 113   if (buffer_size < sizeof(CrossCallParams)) {
 114     return NULL;
 115   }
 116   if (buffer_size > kMaxBufferSize) {
 117     return NULL;
 118   }
 119
 120   char* backing_mem = NULL;
 121   uint32 param_count = 0;
 122   uint32 declared_size;
 123   uint32 min_declared_size;
 124   CrossCallParamsEx* copied_params = NULL;
 125
 126   // Touching the untrusted buffer is done under a SEH try block. This
 127   // will catch memory access violations so we don't crash.
 128   __try {
 129     CrossCallParams* call_params =
 130         reinterpret_cast<CrossCallParams*>(buffer_base);
 131
 132     // Check against the minimum size given the number of stated params
 133     // if too small we bail out.
 134     param_count = call_params->GetParamsCount();
 135     min_declared_size = sizeof(CrossCallParams) +
 136                         ((param_count + 1) * sizeof(ParamInfo));
 137
 138     // Retrieve the declared size which if it fails returns 0.
 139     declared_size = GetActualBufferSize(param_count, buffer_base);
 140
 141     if (!IsSizeWithinRange(buffer_size, min_declared_size, declared_size))
 142       return NULL;
 143
 144     // Now we copy the actual amount of the message.
 145     *output_size = declared_size;
 146     backing_mem = new char[declared_size];
 147     copied_params = reinterpret_cast<CrossCallParamsEx*>(backing_mem);
 148     memcpy(backing_mem, call_params, declared_size);
 149
 150     // Avoid compiler optimizations across this point. Any value stored in
 151     // memory should be stored for real, and values previously read from memory
 152     // should be actually read.
 153     _ReadWriteBarrier();
 154
 155     min_declared_size = sizeof(CrossCallParams) +
 156                         ((param_count + 1) * sizeof(ParamInfo));
 157
 158     // Check that the copied buffer is still valid.
 159     if (copied_params->GetParamsCount() != param_count ||
 160         GetActualBufferSize(param_count, backing_mem) != declared_size ||
 161         !IsSizeWithinRange(buffer_size, min_declared_size, declared_size)) {
 162       delete [] backing_mem;
 163       return NULL;
 164     }
 165
 166   } __except(EXCEPTION_EXECUTE_HANDLER) {
 167     // In case of a windows exception we know it occurred while touching the
 168     // untrusted buffer so we bail out as is.
 169     delete [] backing_mem;
 170     return NULL;
 171   }
 172
 173   const char* last_byte = &backing_mem[declared_size];
 174   const char* first_byte = &backing_mem[min_declared_size];
 175
 176   // Verify here that all and each parameters make sense. This is done in the
 177   // local copy.
 178   for (uint32 ix =0; ix != param_count; ++ix) {
 179     uint32 size = 0;
 180     ArgType type;
 181     char* address = reinterpret_cast<char*>(
 182                         copied_params->GetRawParameter(ix, &size, &type));
 183     if ((NULL == address) ||               // No null params.
 184         (INVALID_TYPE >= type) || (LAST_TYPE <= type) ||  // Unknown type.
 185         (address < backing_mem) ||         // Start cannot point before buffer.
 186         (address < first_byte) ||          // Start cannot point too low.
 187         (address > last_byte) ||           // Start cannot point past buffer.
 188         ((address + size) < address) ||    // Invalid size.
 189         ((address + size) > last_byte)) {  // End cannot point past buffer.
 190       // Malformed.
 191       delete[] backing_mem;
 192       return NULL;
 193     }
 194   }
 195   // The parameter buffer looks good.
 196   return copied_params;
 197 }
 198
 199 // Accessors to the parameters in the raw buffer.
 200 void* CrossCallParamsEx::GetRawParameter(uint32 index, uint32* size,
 201                                          ArgType* type) {
 202   if (index >= GetParamsCount()) {
 203     return NULL;
 204   }
 205   // The size is always computed from the parameter minus the next
 206   // parameter, this works because the message has an extra parameter slot
 207   *size = param_info_[index].size_;
 208   *type = param_info_[index].type_;
 209
 210   return param_info_[index].offset_ + reinterpret_cast<char*>(this);
 211 }
 212
 213 // Covers common case for 32 bit integers.
 214 bool CrossCallParamsEx::GetParameter32(uint32 index, uint32* param) {
 215   uint32 size = 0;
 216   ArgType type;
 217   void* start = GetRawParameter(index, &size, &type);
 218   if ((NULL == start) || (4 != size) || (UINT32_TYPE != type)) {
 219     return false;
 220   }
 221   // Copy the 4 bytes.
 222   *(reinterpret_cast<uint32*>(param)) = *(reinterpret_cast<uint32*>(start));
 223   return true;
 224 }
 225
 226 bool CrossCallParamsEx::GetParameterVoidPtr(uint32 index, void** param) {
 227   uint32 size = 0;
 228   ArgType type;
 229   void* start = GetRawParameter(index, &size, &type);
 230   if ((NULL == start) || (sizeof(void*) != size) || (VOIDPTR_TYPE != type)) {
 231     return false;
 232   }
 233   *param = *(reinterpret_cast<void**>(start));
 234   return true;
 235 }
 236
 237 // Covers the common case of reading a string. Note that the string is not
 238 // scanned for invalid characters.
 239 bool CrossCallParamsEx::GetParameterStr(uint32 index, base::string16* string) {
 240   uint32 size = 0;
 241   ArgType type;
 242   void* start = GetRawParameter(index, &size, &type);
 243   if (WCHAR_TYPE != type) {
 244     return false;
 245   }
 246
 247   // Check if this is an empty string.
 248   if (size == 0) {
 249     *string = L"";
 250     return true;
 251   }
 252
 253   if ((NULL == start) || ((size % sizeof(wchar_t)) != 0)) {
 254     return false;
 255   }
 256   string->append(reinterpret_cast<wchar_t*>(start), size/(sizeof(wchar_t)));
 257   return true;
 258 }
 259
 260 bool CrossCallParamsEx::GetParameterPtr(uint32 index, uint32 expected_size,
 261                                         void** pointer) {
 262   uint32 size = 0;
 263   ArgType type;
 264   void* start = GetRawParameter(index, &size, &type);
 265
 266   if ((size != expected_size) || (INOUTPTR_TYPE != type)) {
 267     return false;
 268   }
 269
 270   if (NULL == start) {
 271     return false;
 272   }
 273
 274   *pointer = start;
 275   return true;
 276 }
 277
 278 void SetCallError(ResultCode error, CrossCallReturn* call_return) {
 279   call_return->call_outcome = error;
 280   call_return->extended_count = 0;
 281 }
 282
 283 void SetCallSuccess(CrossCallReturn* call_return) {
 284   call_return->call_outcome = SBOX_ALL_OK;
 285 }
 286
 287 Dispatcher* Dispatcher::OnMessageReady(IPCParams* ipc,
 288                                       CallbackGeneric* callback) {
 289   DCHECK(callback);
 290   std::vector<IPCCall>::iterator it = ipc_calls_.begin();
 291   for (; it != ipc_calls_.end(); ++it) {
 292     if (it->params.Matches(ipc)) {
 293       *callback = it->callback;
 294       return this;
 295     }
 296   }
 297   return NULL;
 298 }
 299
 300 }  // namespace sandbox