| blob | bd8ef91596931c62a302ddf9fc9c2b9558532f28 |
1 /*
2 * Copyright 2008, Google Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
7 * met:
8 *
9 * * Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above
12 * copyright notice, this list of conditions and the following disclaimer
13 * in the documentation and/or other materials provided with the
14 * distribution.
15 * * Neither the name of Google Inc. nor the names of its
16 * contributors may be used to endorse or promote products derived from
17 * this software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
32 /*
33 * NaCl Simple/secure ELF loader (NaCl SEL).
34 *
35 * This loader can only process NaCl object files as produced using
36 * the NaCl toolchain. Other ELF files will be rejected.
37 *
38 * The primary function, NaClAppLoadFile, parses an ELF file,
39 * allocates memory, loads the relocatable image from the ELF file
40 * into memory, and performs relocation. NaClAppRun runs the
41 * resultant program.
42 *
43 * This loader is written in C so that it can be used by C-only as
44 * well as C++ applications. Other languages should also be able to
45 * use their foreign-function interfaces to invoke C code.
46 *
47 * This loader must be part of the NaCl TCB, since it directly handles
48 * externally supplied input (the ELF file). Any security
49 * vulnerabilities in handling the ELF image, e.g., buffer or integer
50 * overflows, can put the application at risk.
51 */
53 #ifndef SERVICE_RUNTIME_SEL_LDR_H__
54 #define SERVICE_RUNTIME_SEL_LDR_H__ 1
76 EXTERN_C_BEGIN
78 #define NACL_SERVICE_PORT_DESCRIPTOR 3
79 #define NACL_SERVICE_ADDRESS_DESCRIPTOR 4
81 #define NACL_MAX_ADDR_BITS (8 + 20)
82 /* wp: NACL_MAX_ADDR_BITS < 32, see NaClAppLoadFile */
85 /*
86 * the extra space for the trampoline syscall code and the thread
87 * contexts must be a multiple of the page size.
88 *
89 * TODO: leave an inaccessible page at page 0 to catch null
90 * pointers, so the first syscall will then be at page 1.
91 *
92 * TODO: change to trampoline shift of 16 (64K)
93 */
94 #define NACL_TRAMPOLINE_SHIFT 16
95 #define NACL_TRAMPOLINE_SIZE (1 << NACL_TRAMPOLINE_SHIFT)
96 #define NACL_THREAD_CTX_SIZE (64 << 10)
101 #define NACL_NOOP_OPCODE 0x90
102 #define NACL_HALT_OPCODE 0xf4
104 /*
105 * Finds the lowest 1 bit in PF_MASKOS. Assumes that at least one
106 * bit is set, and that this bit is not the highest-order bit.
107 *
108 * Let us denote PF_MASKOS by n. Assume n \ne 2^{31}. Let the k^{th}
109 * bit be the lowest order bit that is set, i.e.,
110 * n = m \cdot 2^{k+1} + 2^k, with k,m integers, m \ge 0, and 0 \le k < 31.
111 * then (here lhs is C notation, rhs is LaTeX notation):
112 * n ^ (n-1) = (m \cdot 2^{k+1} + 2^k)
113 * \oplus (m \dot 2^{k+1} + 2^{k-1} + \ldots + 1)
114 * = 2^k + 2^{k-1} + \ldots + 1
115 * = (2^{k+1}-1)
116 * so
117 * ((n ^ (n-1)) + 1U) = 2^{k+1}, (since k < 31, no overflow occurs) and
118 * ((n ^ (n-1)) + 1U) >> 1 = 2^k. QED.
119 */
120 #define PF_OS_WILL_LOAD (((PF_MASKOS ^ (PF_MASKOS-1)) + 1U) >> 1)
121 #if PF_MASKOS == (1 << 31)
123 #endif
125 #if NACL_WINDOWS
126 #define WINDOWS_EXCEPTION_TRY do { __try {
127 #define WINDOWS_EXCEPTION_CATCH } __except(EXCEPTION_EXECUTE_HANDLER) { \
128 NaClLog(LOG_ERROR, \
130 exit(1); \
131 } \
132 } while(0)
133 #else
134 #define WINDOWS_EXCEPTION_TRY do {
135 #define WINDOWS_EXCEPTION_CATCH } while(0)
136 #endif
141 /*
142 * public, user settable.
143 */
146 /*
147 * max_data_alloc controls how much total data memory can be
148 * allocated to the NaCl process; this is initialized data,
149 * uninitialized data, and heap and affects the brk system call.
150 * the text size and rodata size are not included, even though in
151 * NaCl the text and rodata pages are also backed by the pager
152 * since due to relocation the text pages and rodata contents
153 * cannot simply be memory mapped from the executable.
154 *
155 * stack_size is the maximum size of the (main) stack. The stack
156 * memory is eager allocated (mapped in w/o MAP_NORESERVE) so
157 * there must be enough swap space; page table entries are not
158 * populated (no MAP_POPULATE), so actual accesses will likely
159 * incur page faults.
160 */
162 /* determined at load time; OS-determined */
163 /* read-only */
168 /* only used for ET_EXEC: for CS restriction */
172 /* see break_addr below */
174 Elf32_Addr entry_pt;
176 /*
177 * Alignment boundary for validation (16 or 32).
178 */
181 /* private */
182 Elf32_Ehdr elf_hdr;
184 /*
185 * phdrs and sections are mutually exclusive.
186 *
187 * phdrs non-NULL means that an ELF executable -- with starting text
188 * address of NACL_TRAMPOLINE_SIZE -- is used. sections headers are
189 * still loaded, for things like bss size. ???? TODO
190 *
191 * when phdrs is NULL, a relocatable object was used and sections
192 * will be non-NULL, with the loader performing relocation as part
193 * of the image load. This is insufficient for C++ since preinit
194 * and init code is not executed, so global constructors aren't run,
195 * and multiple section groups for template instantiation are not
196 * handled properly, among other issues.
197 */
200 /* common to both ELF executables and relocatable load images */
203 /*
204 * springboard code addr for context switching into app sandbox, relative
205 * to code sandbox CS
206 */
208 /*
209 * The socket at which the app should be accepting connections. The
210 * corresponding socket address are made available by the JavaScript
211 * bridge to other NaCl modules.
212 */
218 /*
219 * runtime info below, thread state, etc; initialized only when app
220 * is run. Mutex mu protects access to mem_map and other member
221 * variables while the application is running and may be
222 * multithreaded; thread, desc members have their own locks. At
223 * other times it is assumed that only one thread is
224 * constructing/loading the NaClApp and that no mutual exclusion is
225 * needed.
226 */
228 /*
229 * memory map is in user addresses.
230 */
236 /*
237 * enforce that some "special" syscalls may only be made from the
238 * main/privileged thread
239 */
241 /* all threads enqueue the "special" syscalls to the work queue */
248 /* data_end <= break_addr is an invariant */
251 /* used when process is killed, or when address space move is needed */
253 /*
254 * Thread table lock threads_mu is higher in the locking order than
255 * the thread locks, i.e., threads_mu must be acqured w/o holding
256 * any per-thread lock (natp->mu).
257 */
265 };
267 #define NACL_MAX_PROGRAM_HEADERS 128
270 PCA_NONE,
271 PCA_TEXT_CHECK,
273 };
276 Elf32_Word p_type;
281 };
292 /*
293 * Loads a NaCl ELF file into memory in preparation for running it.
294 *
295 * gp is a pointer to a generic I/O object and should be a GioMem with
296 * a memory buffer containing the file read entirely into memory if
297 * the file system might be subject to race conditions (e.g., another
298 * thread / process might modify a downloaded NaCl ELF file while we
299 * are loading it here).
300 *
301 * nap is a pointer to the NaCl object that is being filled in. it
302 * should be properly constructed via NaClAppCtor.
303 *
304 * return value: one of the LOAD_* values below. TODO: add some error
305 * detail string and hang that off the nap object, so that more
306 * details are available w/o incrementing verbosity (and polluting
307 * stdout).
308 *
309 * note: it may be necessary to flush the icache if the memory
310 * allocated for use had already made it into the icache from another
311 * NaCl application instance, and the icache does not detect
312 * self-modifying code / data writes and automatically invalidate the
313 * cache lines.
314 */
339 /*
340 * Takes ownership of descriptor, i.e., when NaCl app closes, it's gone.
341 */
347 /*
348 * Takes ownership of handle.
349 */
351 NaClHandle h,
358 /*
359 * Used to launch the main thread. NB: calling thread may in the
360 * future become the main NaCl app thread, and this function will
361 * return only after the NaCl app main thread exits. In such an
362 * alternative design, NaClWaitForMainThreadToExit will become a
363 * no-op.
364 */
372 /*
373 * Used by syscall code.
374 */
387 /*
388 * Routines to translate addresses between user and "system" or
389 * service runtime addresses. the *Addr* versions will return
390 * kNaClBadAddress if the usr address is outside of the user address
391 * space, e.g., if the input addresses for *UserToSys* is outside of
392 * (1<<nap->addr_bits), and correspondingly for *SysToUser* if the
393 * input system address does not correspond to a user address.
394 * Generally, the *Addr* versions are used when the addresses come
395 * from untrusted usre code, and kNaClBadAddress would translate to an
396 * EINVAL return from a syscall. The *Range code ensures that the
397 * entire address range is in the user address space.
398 *
399 * Note that just because an address is within the address space, it
400 * doesn't mean that it is safe to acceess the memory: the page may be
401 * protected against access.
402 *
403 * The non-*Addr* versions abort the program rather than return an
404 * error indication.
405 */
407 /*
408 * address translation routines. after a NaClApp is started, the
409 * member variables accessed by these routines are read-only, so no
410 * locking is needed to use these functions, as long as the NaClApp
411 * structure doesn't get destructed/deallocated.
412 *
413 * the first is used internally when a NULL pointer is okay, typically
414 * for address manipulation.
415 *
416 * the next two are for syscalls to do address translation, e.g., for
417 * system calls; -1 indicates an error, so the syscall can return
418 * EINVAL or EFAULT or whatever is appropriate.
419 *
420 * the latter two interfaces are for use everywhere else in the loader
421 * / service runtime and will log a fatal error and abort the process
422 * when an error is detected. (0 is not a good error indicator, since
423 * 0 is a valid user address.)
424 */
428 {
431 }
433 }
437 {
440 }
442 }
446 {
450 }
452 }
457 {
462 }
465 /* unsigned wraparound */
467 }
470 }
472 }
476 {
481 }
483 }
487 {
491 "NaclSysToUser: sysaddr 0x%08x, mem_start 0x%08x,"
494 }
496 }
498 /*
499 * Looks up a descriptor in the open-file table. An additional
500 * reference is taken on the returned NaClDesc object (if non-NULL).
501 * The caller is responsible for invoking NaClDescUnref() on it when
502 * done.
503 */
507 /*
508 * Takes ownership of ndp.
509 */
518 /*
519 * Versions that are called while already holding the desc_mu lock
520 */
568 EXTERN_C_END
570 #endif