chrome_frame/vtable_patch_manager.cc

   1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome_frame/vtable_patch_manager.h"
   6
   7 #include <atlcomcli.h>
   8
   9 #include <algorithm>
  10
  11 #include "base/atomicops.h"
  12 #include "base/logging.h"
  13 #include "base/memory/scoped_ptr.h"
  14 #include "base/synchronization/lock.h"
  15 #include "chrome_frame/function_stub.h"
  16 #include "chrome_frame/utils.h"
  17
  18 namespace vtable_patch {
  19
  20 // The number of times we retry a patch/unpatch operation in case of
  21 // VM races with other 3rd party software trying to patch the same thing.
  22 const int kMaxRetries = 3;
  23
  24 // We hold a lock over all patching operations to make sure that we don't
  25 // e.g. race on VM operations to the same patches, or to physical pages
  26 // shared across different VTABLEs.
  27 base::Lock patch_lock_;
  28
  29 namespace internal {
  30 // Because other parties in our process might be attempting to patch the same
  31 // virtual tables at the same time, we have a race to modify the VM protections
  32 // on the pages. We also need to do a compare/swap type operation when we
  33 // modify the function, so as to be sure that we grab the most recent value.
  34 // Hence the SEH blocks and the nasty-looking compare/swap operation.
  35 bool ReplaceFunctionPointer(void** entry, void* new_proc, void* curr_proc) {
  36   __try {
  37     base::subtle::Atomic32 prev_value;
  38
  39     prev_value = base::subtle::NoBarrier_CompareAndSwap(
  40         reinterpret_cast<base::subtle::Atomic32 volatile*>(entry),
  41         reinterpret_cast<base::subtle::Atomic32>(curr_proc),
  42         reinterpret_cast<base::subtle::Atomic32>(new_proc));
  43
  44     return curr_proc == reinterpret_cast<void*>(prev_value);
  45   } __except(EXCEPTION_EXECUTE_HANDLER) {
  46     // Oops, we took exception on access.
  47   }
  48
  49   return false;
  50 }
  51
  52 }  // namespace
  53
  54 // Convenient definition of a VTABLE
  55 typedef PROC* Vtable;
  56
  57 // Returns a pointer to the VTable of a COM interface.
  58 // @param unknown [in] The pointer of the COM interface.
  59 inline Vtable GetIFVTable(void* unknown) {
  60   return reinterpret_cast<Vtable>(*reinterpret_cast<void**>(unknown));
  61 }
  62
  63 HRESULT PatchInterfaceMethods(void* unknown, MethodPatchInfo* patches) {
  64   // Do some sanity checking of the input arguments.
  65   if (NULL == unknown || NULL == patches) {
  66     NOTREACHED();
  67     return E_INVALIDARG;
  68   }
  69
  70   Vtable vtable = GetIFVTable(unknown);
  71   DCHECK(vtable);
  72
  73   // All VM operations, patching and manipulation of MethodPatchInfo
  74   // is done under a global lock, to ensure multiple threads don't
  75   // race, whether on an individual patch, or on VM operations to
  76   // the same physical pages.
  77   base::AutoLock lock(patch_lock_);
  78
  79   for (MethodPatchInfo* it = patches; it->index_ != -1; ++it) {
  80     if (it->stub_ != NULL) {
  81       // If this DCHECK fires it means that we are using the same VTable
  82       // information to patch two different interfaces, or we've lost a
  83       // race with another thread who's patching the same interface.
  84       DLOG(WARNING) << "Attempting to patch two different VTables with the "
  85           "same VTable information, or patching the same interface on "
  86           "multiple threads";
  87       continue;
  88     }
  89
  90     PROC original_fn = vtable[it->index_];
  91     FunctionStub* stub = NULL;
  92
  93 #ifndef NDEBUG
  94     stub = FunctionStub::FromCode(original_fn);
  95     if (stub != NULL) {
  96       DLOG(ERROR) << "attempt to patch a function that's already patched";
  97       DCHECK(stub->destination_function() ==
  98              reinterpret_cast<uintptr_t>(it->method_)) <<
  99              "patching the same method multiple times with different hooks?";
 100       continue;
 101     }
 102 #endif
 103
 104     stub = FunctionStub::Create(reinterpret_cast<uintptr_t>(original_fn),
 105                                 it->method_);
 106     if (!stub) {
 107       NOTREACHED();
 108       return E_OUTOFMEMORY;
 109     }
 110
 111     // Do the VM operations and the patching in a loop, to try and ensure
 112     // we succeed even if there's a VM operation or a patch race against
 113     // other 3rd parties patching.
 114     bool succeeded = false;
 115     for (int i = 0; !succeeded && i < kMaxRetries; ++i) {
 116       DWORD protect = 0;
 117       if (!::VirtualProtect(&vtable[it->index_], sizeof(PROC),
 118                             PAGE_EXECUTE_READWRITE, &protect)) {
 119         HRESULT hr = AtlHresultFromLastError();
 120         DLOG(ERROR) << "VirtualProtect failed 0x" << std::hex << hr;
 121
 122         // Go around again in the feeble hope that this is
 123         // a temporary problem.
 124         continue;
 125       }
 126       original_fn = vtable[it->index_];
 127       stub->set_argument(reinterpret_cast<uintptr_t>(original_fn));
 128       succeeded = internal::ReplaceFunctionPointer(
 129           reinterpret_cast<void**>(&vtable[it->index_]), stub->code(),
 130           original_fn);
 131
 132       if (!::VirtualProtect(&vtable[it->index_], sizeof(PROC), protect,
 133                             &protect)) {
 134         DLOG(ERROR) << "VirtualProtect failed to restore protection";
 135       }
 136     }
 137
 138     if (!succeeded) {
 139       FunctionStub::Destroy(stub);
 140       stub = NULL;
 141
 142       DLOG(ERROR) << "Failed to patch VTable.";
 143       return E_FAIL;
 144     } else {
 145       // Success, save the stub we created.
 146       it->stub_ = stub;
 147       PinModule();
 148     }
 149   }
 150
 151   return S_OK;
 152 }
 153
 154 HRESULT UnpatchInterfaceMethods(MethodPatchInfo* patches) {
 155   base::AutoLock lock(patch_lock_);
 156
 157   for (MethodPatchInfo* it = patches; it->index_ != -1; ++it) {
 158     if (it->stub_) {
 159       DCHECK(it->stub_->destination_function() ==
 160           reinterpret_cast<uintptr_t>(it->method_));
 161       // Modify the stub to just jump directly to the original function.
 162       it->stub_->BypassStub(reinterpret_cast<void*>(it->stub_->argument()));
 163       it->stub_ = NULL;
 164       // Leave the stub in memory so that we won't break any possible chains.
 165
 166       // TODO(siggi): why not restore the original VTBL pointer here, provided
 167       //    we haven't been chained?
 168     } else {
 169       DLOG(WARNING) << "attempt to unpatch a function that wasn't patched";
 170     }
 171   }
 172
 173   return S_OK;
 174 }
 175
 176 // Disabled for now as we're not using it atm.
 177 #if 0
 178
 179 DynamicPatchManager::DynamicPatchManager(const MethodPatchInfo* patch_prototype)
 180     : patch_prototype_(patch_prototype) {
 181   DCHECK(patch_prototype_);
 182   DCHECK(patch_prototype_->stub_ == NULL);
 183 }
 184
 185 DynamicPatchManager::~DynamicPatchManager() {
 186   UnpatchAll();
 187 }
 188
 189 HRESULT DynamicPatchManager::PatchObject(void* unknown) {
 190   int patched_methods = 0;
 191   for (; patch_prototype_[patched_methods].index_ != -1; patched_methods++) {
 192     // If you hit this, then you are likely using the prototype instance for
 193     // patching in _addition_ to this class.  This is not a good idea :)
 194     DCHECK(patch_prototype_[patched_methods].stub_ == NULL);
 195   }
 196
 197   // Prepare a new patch object using the patch info from the prototype.
 198   int mem_size = sizeof(PatchedObject) +
 199                  sizeof(MethodPatchInfo) * patched_methods;
 200   PatchedObject* entry = reinterpret_cast<PatchedObject*>(new char[mem_size]);
 201   entry->vtable_ = GetIFVTable(unknown);
 202   memcpy(entry->patch_info_, patch_prototype_,
 203          sizeof(MethodPatchInfo) * (patched_methods + 1));
 204
 205   patch_list_lock_.Acquire();
 206
 207   // See if we've already patched this vtable before.
 208   // The search is done via the == operator of the PatchedObject class.
 209   PatchList::const_iterator it = std::find(patch_list_.begin(),
 210                                            patch_list_.end(), entry);
 211   HRESULT hr;
 212   if (it == patch_list_.end()) {
 213     hr = PatchInterfaceMethods(unknown, entry->patch_info_);
 214     if (SUCCEEDED(hr)) {
 215       patch_list_.push_back(entry);
 216       entry = NULL;  // Ownership transferred to the array.
 217     }
 218   } else {
 219     hr = S_FALSE;
 220   }
 221
 222   patch_list_lock_.Release();
 223
 224   delete entry;
 225
 226   return hr;
 227 }
 228
 229 bool DynamicPatchManager::UnpatchAll() {
 230   patch_list_lock_.Acquire();
 231   PatchList::iterator it;
 232   for (it = patch_list_.begin(); it != patch_list_.end(); it++) {
 233     UnpatchInterfaceMethods((*it)->patch_info_);
 234     delete (*it);
 235   }
 236   patch_list_.clear();
 237   patch_list_lock_.Release();
 238
 239   return true;
 240 }
 241
 242 #endif  // disabled DynamicPatchManager
 243
 244 }  // namespace vtable_patch