Fix crash on app list start page keyboard navigation with <4 apps.
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf-helpers / sigsys_handlers.cc
blob21fd4d705af8088cbc059ae4e0446f5d893bff12
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // Note: any code in this file MUST be async-signal safe.
7 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
9 #include <sys/syscall.h>
10 #include <unistd.h>
12 #include "base/basictypes.h"
13 #include "base/logging.h"
14 #include "base/posix/eintr_wrapper.h"
15 #include "build/build_config.h"
16 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
17 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
18 #include "sandbox/linux/seccomp-bpf/syscall.h"
19 #include "sandbox/linux/services/syscall_wrappers.h"
20 #include "sandbox/linux/system_headers/linux_syscalls.h"
22 #if defined(__mips__)
23 // __NR_Linux, is defined in <asm/unistd.h>.
24 #include <asm/unistd.h>
25 #endif
27 #define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure"
28 #define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure"
29 #define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure"
30 #define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure"
31 #define SECCOMP_MESSAGE_KILL_CONTENT "(tg)kill() failure"
32 #define SECCOMP_MESSAGE_FUTEX_CONTENT "futex() failure"
34 namespace {
36 inline bool IsArchitectureX86_64() {
37 #if defined(__x86_64__)
38 return true;
39 #else
40 return false;
41 #endif
44 // Write |error_message| to stderr. Similar to RawLog(), but a bit more careful
45 // about async-signal safety. |size| is the size to write and should typically
46 // not include a terminating \0.
47 void WriteToStdErr(const char* error_message, size_t size) {
48 while (size > 0) {
49 // TODO(jln): query the current policy to check if send() is available and
50 // use it to perform a non-blocking write.
51 const int ret = HANDLE_EINTR(write(STDERR_FILENO, error_message, size));
52 // We can't handle any type of error here.
53 if (ret <= 0 || static_cast<size_t>(ret) > size) break;
54 size -= ret;
55 error_message += ret;
59 // Invalid syscall values are truncated to zero.
60 // On architectures where base value is zero (Intel and Arm),
61 // syscall number is the same as offset from base.
62 // This function returns values between 0 and 1023 on all architectures.
63 // On architectures where base value is different than zero (currently only
64 // Mips), we are truncating valid syscall values to offset from base.
65 uint32_t SyscallNumberToOffsetFromBase(uint32_t sysno) {
66 #if defined(__mips__)
67 // On MIPS syscall numbers are in different range than on x86 and ARM.
68 // Valid MIPS O32 ABI syscall __NR_syscall will be truncated to zero for
69 // simplicity.
70 sysno = sysno - __NR_Linux;
71 #endif
73 if (sysno >= 1024)
74 sysno = 0;
76 return sysno;
79 // Print a seccomp-bpf failure to handle |sysno| to stderr in an
80 // async-signal safe way.
81 void PrintSyscallError(uint32_t sysno) {
82 if (sysno >= 1024)
83 sysno = 0;
84 // TODO(markus): replace with async-signal safe snprintf when available.
85 const size_t kNumDigits = 4;
86 char sysno_base10[kNumDigits];
87 uint32_t rem = sysno;
88 uint32_t mod = 0;
89 for (int i = kNumDigits - 1; i >= 0; i--) {
90 mod = rem % 10;
91 rem /= 10;
92 sysno_base10[i] = '0' + mod;
94 #if defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
95 static const char kSeccompErrorPrefix[] = __FILE__
96 ":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall 4000 + ";
97 #else
98 static const char kSeccompErrorPrefix[] =
99 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall ";
100 #endif
101 static const char kSeccompErrorPostfix[] = "\n";
102 WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1);
103 WriteToStdErr(sysno_base10, sizeof(sysno_base10));
104 WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1);
107 } // namespace.
109 namespace sandbox {
111 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
112 uint32_t syscall = SyscallNumberToOffsetFromBase(args.nr);
114 PrintSyscallError(syscall);
116 // Encode 8-bits of the 1st two arguments too, so we can discern which socket
117 // type, which fcntl, ... etc., without being likely to hit a mapped
118 // address.
119 // Do not encode more bits here without thinking about increasing the
120 // likelihood of collision with mapped pages.
121 syscall |= ((args.args[0] & 0xffUL) << 12);
122 syscall |= ((args.args[1] & 0xffUL) << 20);
123 // Purposefully dereference the syscall as an address so it'll show up very
124 // clearly and easily in crash dumps.
125 volatile char* addr = reinterpret_cast<volatile char*>(syscall);
126 *addr = '\0';
127 // In case we hit a mapped address, hit the null page with just the syscall,
128 // for paranoia.
129 syscall &= 0xfffUL;
130 addr = reinterpret_cast<volatile char*>(syscall);
131 *addr = '\0';
132 for (;;)
133 _exit(1);
136 // TODO(jln): refactor the reporting functions.
138 intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) {
139 static const char kSeccompCloneError[] =
140 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT "\n";
141 WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1);
142 // "flags" is the first argument in the kernel's clone().
143 // Mark as volatile to be able to find the value on the stack in a minidump.
144 volatile uint64_t clone_flags = args.args[0];
145 volatile char* addr;
146 if (IsArchitectureX86_64()) {
147 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF);
148 *addr = '\0';
150 // Hit the NULL page if this fails to fault.
151 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF);
152 *addr = '\0';
153 for (;;)
154 _exit(1);
157 intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args,
158 void* /* aux */) {
159 static const char kSeccompPrctlError[] =
160 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT "\n";
161 WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1);
162 // Mark as volatile to be able to find the value on the stack in a minidump.
163 volatile uint64_t option = args.args[0];
164 volatile char* addr =
165 reinterpret_cast<volatile char*>(option & 0xFFF);
166 *addr = '\0';
167 for (;;)
168 _exit(1);
171 intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args,
172 void* /* aux */) {
173 static const char kSeccompIoctlError[] =
174 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT "\n";
175 WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1);
176 // Make "request" volatile so that we can see it on the stack in a minidump.
177 volatile uint64_t request = args.args[1];
178 volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF);
179 *addr = '\0';
180 // Hit the NULL page if this fails.
181 addr = reinterpret_cast<volatile char*>(request & 0xFFF);
182 *addr = '\0';
183 for (;;)
184 _exit(1);
187 intptr_t SIGSYSKillFailure(const struct arch_seccomp_data& args,
188 void* /* aux */) {
189 static const char kSeccompKillError[] =
190 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_KILL_CONTENT "\n";
191 WriteToStdErr(kSeccompKillError, sizeof(kSeccompKillError) - 1);
192 // Make "request" volatile so that we can see it on the stack in a minidump.
193 volatile uint64_t pid = args.args[0];
194 volatile char* addr = reinterpret_cast<volatile char*>(pid & 0xFFF);
195 *addr = '\0';
196 // Hit the NULL page if this fails.
197 addr = reinterpret_cast<volatile char*>(pid & 0xFFF);
198 *addr = '\0';
199 for (;;)
200 _exit(1);
203 intptr_t SIGSYSFutexFailure(const struct arch_seccomp_data& args,
204 void* /* aux */) {
205 static const char kSeccompFutexError[] =
206 __FILE__ ":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT "\n";
207 WriteToStdErr(kSeccompFutexError, sizeof(kSeccompFutexError) - 1);
208 volatile int futex_op = args.args[1];
209 volatile char* addr = reinterpret_cast<volatile char*>(futex_op & 0xFFF);
210 *addr = '\0';
211 for (;;)
212 _exit(1);
215 intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args,
216 void* aux) {
217 switch (args.nr) {
218 case __NR_sched_getaffinity:
219 case __NR_sched_getattr:
220 case __NR_sched_getparam:
221 case __NR_sched_getscheduler:
222 case __NR_sched_rr_get_interval:
223 case __NR_sched_setaffinity:
224 case __NR_sched_setattr:
225 case __NR_sched_setparam:
226 case __NR_sched_setscheduler:
227 const pid_t tid = sys_gettid();
228 // The first argument is the pid. If is our thread id, then replace it
229 // with 0, which is equivalent and allowed by the policy.
230 if (args.args[0] == static_cast<uint64_t>(tid)) {
231 return Syscall::Call(args.nr,
233 static_cast<intptr_t>(args.args[1]),
234 static_cast<intptr_t>(args.args[2]),
235 static_cast<intptr_t>(args.args[3]),
236 static_cast<intptr_t>(args.args[4]),
237 static_cast<intptr_t>(args.args[5]));
239 break;
242 CrashSIGSYS_Handler(args, aux);
244 // Should never be reached.
245 RAW_CHECK(false);
246 return -ENOSYS;
249 bpf_dsl::ResultExpr CrashSIGSYS() {
250 return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
253 bpf_dsl::ResultExpr CrashSIGSYSClone() {
254 return bpf_dsl::Trap(SIGSYSCloneFailure, NULL);
257 bpf_dsl::ResultExpr CrashSIGSYSPrctl() {
258 return bpf_dsl::Trap(SIGSYSPrctlFailure, NULL);
261 bpf_dsl::ResultExpr CrashSIGSYSIoctl() {
262 return bpf_dsl::Trap(SIGSYSIoctlFailure, NULL);
265 bpf_dsl::ResultExpr CrashSIGSYSKill() {
266 return bpf_dsl::Trap(SIGSYSKillFailure, NULL);
269 bpf_dsl::ResultExpr CrashSIGSYSFutex() {
270 return bpf_dsl::Trap(SIGSYSFutexFailure, NULL);
273 bpf_dsl::ResultExpr RewriteSchedSIGSYS() {
274 return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
277 const char* GetErrorMessageContentForTests() {
278 return SECCOMP_MESSAGE_COMMON_CONTENT;
281 const char* GetCloneErrorMessageContentForTests() {
282 return SECCOMP_MESSAGE_CLONE_CONTENT;
285 const char* GetPrctlErrorMessageContentForTests() {
286 return SECCOMP_MESSAGE_PRCTL_CONTENT;
289 const char* GetIoctlErrorMessageContentForTests() {
290 return SECCOMP_MESSAGE_IOCTL_CONTENT;
293 const char* GetKillErrorMessageContentForTests() {
294 return SECCOMP_MESSAGE_KILL_CONTENT;
297 const char* GetFutexErrorMessageContentForTests() {
298 return SECCOMP_MESSAGE_FUTEX_CONTENT;
301 } // namespace sandbox.