The Tor Browser: comparison security/sandbox/win/src/crosscall

--1:000000000000
+:3a857a2aefea
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef SANDBOX_SRC_CROSSCALL_PARAMS_H__
+#define SANDBOX_SRC_CROSSCALL_PARAMS_H__
+#include <windows.h>
+#include <lmaccess.h>
+#include <memory>
+#include "base/basictypes.h"
+#include "sandbox/win/src/internal_types.h"
+#include "sandbox/win/src/sandbox_types.h"
+namespace {
+// Increases |value| until there is no need for padding given an int64
+// alignment. Returns the increased value.
+uint32 Align(uint32 value) {
+uint32 alignment = sizeof(int64);
+return ((value + alignment - 1) / alignment) * alignment;
+}
+}
+// This header is part of CrossCall: the sandbox inter-process communication.
+// This header defines the basic types used both in the client IPC and in the
+// server IPC code. CrossCallParams and ActualCallParams model the input
+// parameters of an IPC call and CrossCallReturn models the output params and
+// the return value.
+//
+// An IPC call is defined by its 'tag' which is a (uint32) unique identifier
+// that is used to route the IPC call to the proper server. Every tag implies
+// a complete call signature including the order and type of each parameter.
+//
+// Like most IPC systems. CrossCall is designed to take as inputs 'simple'
+// types such as integers and strings. Classes, generic arrays or pointers to
+// them are not supported.
+//
+// Another limitation of CrossCall is that the return value and output
+// parameters can only be uint32 integers. Returning complex structures or
+// strings is not supported.
+namespace sandbox {
+// max number of extended return parameters. See CrossCallReturn
+const size_t kExtendedReturnCount = 8;
+// Union of multiple types to be used as extended results
+// in the CrossCallReturn.
+union MultiType {
+uint32 unsigned_int;
+void* pointer;
+HANDLE handle;
+ULONG_PTR ulong_ptr;
+};
+// Maximum number of IPC parameters currently supported.
+// To increase this value, we have to:
+//  - Add another Callback typedef to Dispatcher.
+//  - Add another case to the switch on SharedMemIPCServer::InvokeCallback.
+//  - Add another case to the switch in GetActualAndMaxBufferSize
+const int kMaxIpcParams = 9;
+// Contains the information about a parameter in the ipc buffer.
+struct ParamInfo {
+ArgType type_;
+uint32 offset_;
+uint32 size_;
+};
+// Models the return value and the return parameters of an IPC call
+// currently limited to one status code and eight generic return values
+// which cannot be pointers to other data. For x64 ports this structure
+// might have to use other integer types.
+struct CrossCallReturn {
+// the IPC tag. It should match the original IPC tag.
+uint32 tag;
+// The result of the IPC operation itself.
+ResultCode call_outcome;
+// the result of the IPC call as executed in the server. The interpretation
+// of this value depends on the specific service.
+union {
+NTSTATUS nt_status;
+DWORD    win32_result;
+};
+// Number of extended return values.
+uint32 extended_count;
+// for calls that should return a windows handle. It is found here.
+HANDLE handle;
+// The array of extended values.
+MultiType extended[kExtendedReturnCount];
+};
+// CrossCallParams base class that models the input params all packed in a
+// single compact memory blob. The representation can vary but in general a
+// given child of this class is meant to represent all input parameters
+// necessary to make a IPC call.
+//
+// This class cannot have virtual members because its assumed the IPC
+// parameters start from the 'this' pointer to the end, which is defined by
+// one of the subclasses
+//
+// Objects of this class cannot be constructed directly. Only derived
+// classes have the proper knowledge to construct it.
+class CrossCallParams {
+public:
+// Returns the tag (ipc unique id) associated with this IPC.
+uint32 GetTag() const {
+return tag_;
+}
+// Returns the beggining of the buffer where the IPC params can be stored.
+// prior to an IPC call
+const void* GetBuffer() const {
+return this;
+}
+// Returns how many parameter this IPC call should have.
+const uint32 GetParamsCount() const {
+return params_count_;
+}
+// Returns a pointer to the CrossCallReturn structure.
+CrossCallReturn* GetCallReturn() {
+return &call_return;
+}
+// Returns TRUE if this call contains InOut parameters.
+const bool IsInOut() const {
+return (1 == is_in_out_);
+}
+// Tells the CrossCall object if it contains InOut parameters.
+void SetIsInOut(bool value) {
+if (value)
+is_in_out_ = 1;
+else
+is_in_out_ = 0;
+}
+protected:
+// constructs the IPC call params. Called only from the derived classes
+CrossCallParams(uint32 tag, uint32 params_count)
+: tag_(tag),
+params_count_(params_count),
+is_in_out_(0) {
+}
+private:
+uint32 tag_;
+uint32 is_in_out_;
+CrossCallReturn call_return;
+const uint32 params_count_;
+DISALLOW_COPY_AND_ASSIGN(CrossCallParams);
+};
+// ActualCallParams models an specific IPC call parameters with respect to the
+// storage allocation that the packed parameters should need.
+// NUMBER_PARAMS: the number of parameters, valid from 1 to N
+// BLOCK_SIZE: the total storage that the NUMBER_PARAMS parameters can take,
+// typically the block size is defined by the channel size of the underlying
+// ipc mechanism.
+// In practice this class is used to levergage C++ capacity to properly
+// calculate sizes and displacements given the possibility of the packed params
+// blob to be complex.
+//
+// As is, this class assumes that the layout of the blob is as follows. Assume
+// that NUMBER_PARAMS = 2 and a 32-bit build:
+//
+// [ tag                4 bytes]
+// [ IsOnOut            4 bytes]
+// [ call return       52 bytes]
+// [ params count       4 bytes]
+// [ parameter 0 type   4 bytes]
+// [ parameter 0 offset 4 bytes] ---delta to ---\
+// [ parameter 0 size   4 bytes]                |
+// [ parameter 1 type   4 bytes]                |
+// [ parameter 1 offset 4 bytes] ---------------|--\
+// [ parameter 1 size   4 bytes]                |  |
+// [ parameter 2 type   4 bytes]                |  |
+// [ parameter 2 offset 4 bytes] ----------------------\
+// [ parameter 2 size   4 bytes]                |  |   |
+// |---------------------------|                |  |   |
+// | value 0     (x bytes)     | <--------------/  |   |
+// | value 1     (y bytes)     | <-----------------/   |
+// |                           |                       |
+// | end of buffer             | <---------------------/
+// |---------------------------|
+//
+// Note that the actual number of params is NUMBER_PARAMS + 1
+// so that the size of each actual param can be computed from the difference
+// between one parameter and the next down. The offset of the last param
+// points to the end of the buffer and the type and size are undefined.
+//
+template <size_t NUMBER_PARAMS, size_t BLOCK_SIZE>
+class ActualCallParams : public CrossCallParams {
+public:
+// constructor. Pass the ipc unique tag as input
+explicit ActualCallParams(uint32 tag)
+: CrossCallParams(tag, NUMBER_PARAMS) {
+param_info_[0].offset_ = parameters_ - reinterpret_cast<char*>(this);
+}
+// Testing-only constructor. Allows setting the |number_params| to a
+// wrong value.
+ActualCallParams(uint32 tag, uint32 number_params)
+: CrossCallParams(tag, number_params) {
+param_info_[0].offset_ = parameters_ - reinterpret_cast<char*>(this);
+}
+// Testing-only method. Allows setting the apparent size to a wrong value.
+// returns the previous size.
+uint32 OverrideSize(uint32 new_size) {
+uint32 previous_size = param_info_[NUMBER_PARAMS].offset_;
+param_info_[NUMBER_PARAMS].offset_ = new_size;
+return previous_size;
+}
+// Copies each paramter into the internal buffer. For each you must supply:
+// index: 0 for the first param, 1 for the next an so on
+bool CopyParamIn(uint32 index, const void* parameter_address, uint32 size,
+bool is_in_out, ArgType type) {
+if (index >= NUMBER_PARAMS) {
+return false;
+}
+if (kuint32max == size) {
+// Memory error while getting the size.
+return false;
+}
+if (size && !parameter_address) {
+return false;
+}
+if (param_info_[index].offset_ > sizeof(*this)) {
+// It does not fit, abort copy.
+return false;
+}
+char* dest = reinterpret_cast<char*>(this) +  param_info_[index].offset_;
+// We might be touching user memory, this has to be done from inside a try
+// except.
+__try {
+memcpy(dest, parameter_address, size);
+}
+__except(EXCEPTION_EXECUTE_HANDLER) {
+return false;
+}
+// Set the flag to tell the broker to update the buffer once the call is
+// made.
+if (is_in_out)
+SetIsInOut(true);
+param_info_[index + 1].offset_ = Align(param_info_[index].offset_ +
+size);
+param_info_[index].size_ = size;
+param_info_[index].type_ = type;
+return true;
+}
+// Returns a pointer to a parameter in the memory section.
+void* GetParamPtr(size_t index) {
+return reinterpret_cast<char*>(this) + param_info_[index].offset_;
+}
+// Returns the total size of the buffer. Only valid once all the paramters
+// have been copied in with CopyParamIn.
+uint32 GetSize() const {
+return param_info_[NUMBER_PARAMS].offset_;
+}
+protected:
+ActualCallParams() : CrossCallParams(0, NUMBER_PARAMS) { }
+private:
+ParamInfo param_info_[NUMBER_PARAMS + 1];
+char parameters_[BLOCK_SIZE - sizeof(CrossCallParams)
+- sizeof(ParamInfo) * (NUMBER_PARAMS + 1)];
+DISALLOW_COPY_AND_ASSIGN(ActualCallParams);
+};
+COMPILE_ASSERT(sizeof(ActualCallParams<1, 1024>) == 1024, bad_size_buffer);
+COMPILE_ASSERT(sizeof(ActualCallParams<2, 1024>) == 1024, bad_size_buffer);
+COMPILE_ASSERT(sizeof(ActualCallParams<3, 1024>) == 1024, bad_size_buffer);
+}  // namespace sandbox
+#endif  // SANDBOX_SRC_CROSSCALL_PARAMS_H__

The Tor Browser / file comparison

comparison: security/sandbox/win/src/crosscall_params.h

security/sandbox/win/src/crosscall_params.h