The Tor Browser: xpcom/build/PoisonIOInterposerMac.cpp@129ffea94266 (annotated)

xpcom/build/PoisonIOInterposerMac.cpp@129ffea94266 (annotated)

xpcom/build/PoisonIOInterposerMac.cpp

Sat, 03 Jan 2015 20:18:00 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Sat, 03 Jan 2015 20:18:00 +0100
branch: TOR_BUG_3246
changeset 7: 129ffea94266
permissions: -rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /* vim:set ts=4 sw=4 sts=4 ci et: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "PoisonIOInterposer.h"
 #include "mach_override.h"
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/IOInterposer.h"
 #include "mozilla/Mutex.h"
 #include "mozilla/ProcessedStack.h"
 #include "mozilla/Scoped.h"
 #include "mozilla/Telemetry.h"
 #include "nsPrintfCString.h"
 #include "nsStackWalk.h"
 #include "nsTraceRefcnt.h"
 #include "plstr.h"
 #include "prio.h"
 #include <algorithm>
 #include <vector>
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/uio.h>
 #include <aio.h>
 #include <dlfcn.h>
 #include <fcntl.h>
 namespace {
 using namespace mozilla;
 // Bit tracking if poisoned writes are enabled
 static bool sIsEnabled = false;
 // Check if writes are dirty before reporting IO
 static bool sOnlyReportDirtyWrites = false;
 // Routines for write validation
 bool IsValidWrite(int fd, const void *wbuf, size_t count);
 bool IsIPCWrite(int fd, const struct stat &buf);
 /******************************** IO AutoTimer ********************************/
 /**
  * RAII class for timing the duration of an I/O call and reporting the result
  * to the IOInterposeObserver API.
  */
 class MacIOAutoObservation : public IOInterposeObserver::Observation
 {
 public:
   MacIOAutoObservation(IOInterposeObserver::Operation aOp, int aFd)
     : IOInterposeObserver::Observation(aOp, sReference, sIsEnabled &&
                                        !IsDebugFile(aFd))
     , mFd(aFd)
     , mHasQueriedFilename(false)
     , mFilename(nullptr)
   {
   }
   MacIOAutoObservation(IOInterposeObserver::Operation aOp, int aFd,
                        const void *aBuf, size_t aCount)
     : IOInterposeObserver::Observation(aOp, sReference, sIsEnabled &&
                                        !IsDebugFile(aFd) &&
                                        IsValidWrite(aFd, aBuf, aCount))
     , mFd(aFd)
     , mHasQueriedFilename(false)
     , mFilename(nullptr)
   {
   }
   // Custom implementation of IOInterposeObserver::Observation::Filename
   const char16_t* Filename() MOZ_OVERRIDE;
   ~MacIOAutoObservation()
   {
     Report();
     if (mFilename) {
       NS_Free(mFilename);
       mFilename = nullptr;
     }
   }
 private:
   int                 mFd;
   bool                mHasQueriedFilename;
   char16_t*           mFilename;
   static const char*  sReference;
 };
 const char* MacIOAutoObservation::sReference = "PoisonIOInterposer";
 // Get filename for this observation
 const char16_t* MacIOAutoObservation::Filename()
 {
   // If mHasQueriedFilename is true, then we already have it
   if (mHasQueriedFilename) {
     return mFilename;
   }
   char filename[MAXPATHLEN];
   if (fcntl(mFd, F_GETPATH, filename) != -1) {
     mFilename = UTF8ToNewUnicode(nsDependentCString(filename));
   } else {
     mFilename = nullptr;
   }
   mHasQueriedFilename = true;
   // Return filename
   return mFilename;
 }
 /****************************** Write Validation ******************************/
 // We want to detect "actual" writes, not IPC. Some IPC mechanisms are
 // implemented with file descriptors, so filter them out.
 bool IsIPCWrite(int fd, const struct stat &buf) {
   if ((buf.st_mode & S_IFMT) == S_IFIFO) {
     return true;
   }
   if ((buf.st_mode & S_IFMT) != S_IFSOCK) {
     return false;
   }
   sockaddr_storage address;
   socklen_t len = sizeof(address);
   if (getsockname(fd, (sockaddr*) &address, &len) != 0) {
     return true; // Ignore the fd if we can't find what it is.
   }
   return address.ss_family == AF_UNIX;
 }
 // We want to report actual disk IO not things that don't move bits on the disk
 bool IsValidWrite(int fd, const void *wbuf, size_t count)
 {
   // Ignore writes of zero bytes, Firefox does some during shutdown.
   if (count == 0) {
     return false;
   }
   {
     struct stat buf;
     int rv = fstat(fd, &buf);
     if (rv != 0) {
       return true;
     }
     if (IsIPCWrite(fd, buf)) {
       return false;
     }
   }
   // For writev we pass a nullptr wbuf. We should only get here from
   // dbm, and it uses write, so assert that we have wbuf.
   if (!wbuf) {
     return true;
   }
   // Break, here if we're allowed to report non-dirty writes
   if(!sOnlyReportDirtyWrites) {
     return true;
   }
   // As a really bad hack, accept writes that don't change the on disk
   // content. This is needed because dbm doesn't keep track of dirty bits
   // and can end up writing the same data to disk twice. Once when the
   // user (nss) asks it to sync and once when closing the database.
   ScopedFreePtr<void> wbuf2(malloc(count));
   if (!wbuf2) {
     return true;
   }
   off_t pos = lseek(fd, 0, SEEK_CUR);
   if (pos == -1) {
     return true;
   }
   ssize_t r = read(fd, wbuf2, count);
   if (r < 0 || (size_t)r != count) {
     return true;
   }
   int cmp = memcmp(wbuf, wbuf2, count);
   if (cmp != 0) {
     return true;
   }
   off_t pos2 = lseek(fd, pos, SEEK_SET);
   if (pos2 != pos) {
     return true;
   }
   // Otherwise this is not a valid write
   return false;
 }
 /*************************** Function Interception  ***************************/
 /** Structure for declaration of function override */
 struct FuncData {
   const char *Name;      // Name of the function for the ones we use dlsym
   const void *Wrapper;   // The function that we will replace 'Function' with
   void *Function;        // The function that will be replaced with 'Wrapper'
   void *Buffer;          // Will point to the jump buffer that lets us call
                          // 'Function' after it has been replaced.
 };
 // Wrap aio_write. We have not seen it before, so just assert/report it.
 typedef ssize_t (*aio_write_t)(struct aiocb *aiocbp);
 ssize_t wrap_aio_write(struct aiocb *aiocbp);
 FuncData aio_write_data = { 0, (void*) wrap_aio_write, (void*) aio_write };
 ssize_t wrap_aio_write(struct aiocb *aiocbp) {
   MacIOAutoObservation timer(IOInterposeObserver::OpWrite, aiocbp->aio_fildes);
   aio_write_t old_write = (aio_write_t) aio_write_data.Buffer;
   return old_write(aiocbp);
 }
 // Wrap pwrite-like functions.
 // We have not seen them before, so just assert/report it.
 typedef ssize_t (*pwrite_t)(int fd, const void *buf, size_t nbyte, off_t offset);
 template<FuncData &foo>
 ssize_t wrap_pwrite_temp(int fd, const void *buf, size_t nbyte, off_t offset) {
   MacIOAutoObservation timer(IOInterposeObserver::OpWrite, fd);
   pwrite_t old_write = (pwrite_t) foo.Buffer;
   return old_write(fd, buf, nbyte, offset);
 }
 // Define a FuncData for a pwrite-like functions.
 #define DEFINE_PWRITE_DATA(X, NAME)                                        \
 FuncData X ## _data = { NAME, (void*) wrap_pwrite_temp<X ## _data> };      \
 // This exists everywhere.
 DEFINE_PWRITE_DATA(pwrite, "pwrite")
 // These exist on 32 bit OS X
 DEFINE_PWRITE_DATA(pwrite_NOCANCEL_UNIX2003, "pwrite$NOCANCEL$UNIX2003");
 DEFINE_PWRITE_DATA(pwrite_UNIX2003, "pwrite$UNIX2003");
 // This exists on 64 bit OS X
 DEFINE_PWRITE_DATA(pwrite_NOCANCEL, "pwrite$NOCANCEL");
 typedef ssize_t (*writev_t)(int fd, const struct iovec *iov, int iovcnt);
 template<FuncData &foo>
 ssize_t wrap_writev_temp(int fd, const struct iovec *iov, int iovcnt) {
   MacIOAutoObservation timer(IOInterposeObserver::OpWrite, fd, nullptr, iovcnt);
   writev_t old_write = (writev_t) foo.Buffer;
   return old_write(fd, iov, iovcnt);
 }
 // Define a FuncData for a writev-like functions.
 #define DEFINE_WRITEV_DATA(X, NAME)                                   \
 FuncData X ## _data = { NAME, (void*) wrap_writev_temp<X ## _data> }; \
 // This exists everywhere.
 DEFINE_WRITEV_DATA(writev, "writev");
 // These exist on 32 bit OS X
 DEFINE_WRITEV_DATA(writev_NOCANCEL_UNIX2003, "writev$NOCANCEL$UNIX2003");
 DEFINE_WRITEV_DATA(writev_UNIX2003, "writev$UNIX2003");
 // This exists on 64 bit OS X
 DEFINE_WRITEV_DATA(writev_NOCANCEL, "writev$NOCANCEL");
 typedef ssize_t (*write_t)(int fd, const void *buf, size_t count);
 template<FuncData &foo>
 ssize_t wrap_write_temp(int fd, const void *buf, size_t count) {
   MacIOAutoObservation timer(IOInterposeObserver::OpWrite, fd, buf, count);
   write_t old_write = (write_t) foo.Buffer;
   return old_write(fd, buf, count);
 }
 // Define a FuncData for a write-like functions.
 #define DEFINE_WRITE_DATA(X, NAME)                                   \
 FuncData X ## _data = { NAME, (void*) wrap_write_temp<X ## _data> }; \
 // This exists everywhere.
 DEFINE_WRITE_DATA(write, "write");
 // These exist on 32 bit OS X
 DEFINE_WRITE_DATA(write_NOCANCEL_UNIX2003, "write$NOCANCEL$UNIX2003");
 DEFINE_WRITE_DATA(write_UNIX2003, "write$UNIX2003");
 // This exists on 64 bit OS X
 DEFINE_WRITE_DATA(write_NOCANCEL, "write$NOCANCEL");
 FuncData *Functions[] = { &aio_write_data,
                           &pwrite_data,
                           &pwrite_NOCANCEL_UNIX2003_data,
                           &pwrite_UNIX2003_data,
                           &pwrite_NOCANCEL_data,
                           &write_data,
                           &write_NOCANCEL_UNIX2003_data,
                           &write_UNIX2003_data,
                           &write_NOCANCEL_data,
                           &writev_data,
                           &writev_NOCANCEL_UNIX2003_data,
                           &writev_UNIX2003_data,
                           &writev_NOCANCEL_data};
 const int NumFunctions = ArrayLength(Functions);
 } // anonymous namespace
 /******************************** IO Poisoning ********************************/
 namespace mozilla {
 void InitPoisonIOInterposer() {
   // Enable reporting from poisoned write methods
   sIsEnabled = true;
   // Make sure we only poison writes once!
   static bool WritesArePoisoned = false;
   if (WritesArePoisoned) {
     return;
   }
   WritesArePoisoned = true;
   // stdout and stderr are OK.
   MozillaRegisterDebugFD(1);
   MozillaRegisterDebugFD(2);
   for (int i = 0; i < NumFunctions; ++i) {
     FuncData *d = Functions[i];
     if (!d->Function) {
       d->Function = dlsym(RTLD_DEFAULT, d->Name);
     }
     if (!d->Function) {
       continue;
     }
     DebugOnly<mach_error_t> t = mach_override_ptr(d->Function, d->Wrapper,
                                        &d->Buffer);
     MOZ_ASSERT(t == err_none);
   }
 }
 void OnlyReportDirtyWrites() {
   sOnlyReportDirtyWrites = true;
 }
 void ClearPoisonIOInterposer() {
   // Not sure how or if we can unpoison the functions. Would be nice, but no
   // worries we won't need to do this anyway.
   sIsEnabled = false;
 }
 } // namespace mozilla

The Tor Browser / annotate

xpcom/build/PoisonIOInterposerMac.cpp@129ffea94266 (annotated)

xpcom/build/PoisonIOInterposerMac.cpp