// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef SANDBOX_SRC_CROSSCALL_PARAMS_H__ #define SANDBOX_SRC_CROSSCALL_PARAMS_H__ #include <windows.h> #include <lmaccess.h> #include <stddef.h> #include <stdint.h> #include <memory> #include "base/macros.h" #include "sandbox/win/src/internal_types.h" #include "sandbox/win/src/sandbox_types.h" // Increases |value| until there is no need for padding given an int64_t // alignment. Returns the increased value. inline uint32_t Align(uint32_t value) { uint32_t alignment = sizeof(int64_t); return ((value + alignment - 1) / alignment) * alignment; } // This header is part of CrossCall: the sandbox inter-process communication. // This header defines the basic types used both in the client IPC and in the // server IPC code. CrossCallParams and ActualCallParams model the input // parameters of an IPC call and CrossCallReturn models the output params and // the return value. // // An IPC call is defined by its 'tag' which is a (uint32_t) unique identifier // that is used to route the IPC call to the proper server. Every tag implies // a complete call signature including the order and type of each parameter. // // Like most IPC systems. CrossCall is designed to take as inputs 'simple' // types such as integers and strings. Classes, generic arrays or pointers to // them are not supported. // // Another limitation of CrossCall is that the return value and output // parameters can only be uint32_t integers. Returning complex structures or // strings is not supported. namespace sandbox { // max number of extended return parameters. See CrossCallReturn const size_t kExtendedReturnCount = 8; // Union of multiple types to be used as extended results // in the CrossCallReturn. union MultiType { uint32_t unsigned_int; void* pointer; HANDLE handle; ULONG_PTR ulong_ptr; }; // Maximum number of IPC parameters currently supported. // To increase this value, we have to: // - Add another Callback typedef to Dispatcher. // - Add another case to the switch on SharedMemIPCServer::InvokeCallback. // - Add another case to the switch in GetActualAndMaxBufferSize const int kMaxIpcParams = 9; // Contains the information about a parameter in the ipc buffer. struct ParamInfo { ArgType type_; uint32_t offset_; uint32_t size_; }; // Models the return value and the return parameters of an IPC call // currently limited to one status code and eight generic return values // which cannot be pointers to other data. For x64 ports this structure // might have to use other integer types. struct CrossCallReturn { // the IPC tag. It should match the original IPC tag. uint32_t tag; // The result of the IPC operation itself. ResultCode call_outcome; // the result of the IPC call as executed in the server. The interpretation // of this value depends on the specific service. union { NTSTATUS nt_status; DWORD win32_result; }; // Number of extended return values. uint32_t extended_count; // for calls that should return a windows handle. It is found here. HANDLE handle; // The array of extended values. MultiType extended[kExtendedReturnCount]; }; // CrossCallParams base class that models the input params all packed in a // single compact memory blob. The representation can vary but in general a // given child of this class is meant to represent all input parameters // necessary to make a IPC call. // // This class cannot have virtual members because its assumed the IPC // parameters start from the 'this' pointer to the end, which is defined by // one of the subclasses // // Objects of this class cannot be constructed directly. Only derived // classes have the proper knowledge to construct it. class CrossCallParams { public: // Returns the tag (ipc unique id) associated with this IPC. uint32_t GetTag() const { return tag_; } // Returns the beggining of the buffer where the IPC params can be stored. // prior to an IPC call const void* GetBuffer() const { return this; } // Returns how many parameter this IPC call should have. uint32_t GetParamsCount() const { return params_count_; } // Returns a pointer to the CrossCallReturn structure. CrossCallReturn* GetCallReturn() { return &call_return; } // Returns TRUE if this call contains InOut parameters. bool IsInOut() const { return (1 == is_in_out_); } // Tells the CrossCall object if it contains InOut parameters. void SetIsInOut(bool value) { if (value) is_in_out_ = 1; else is_in_out_ = 0; } protected: // constructs the IPC call params. Called only from the derived classes CrossCallParams(uint32_t tag, uint32_t params_count) : tag_(tag), is_in_out_(0), params_count_(params_count) {} private: uint32_t tag_; uint32_t is_in_out_; CrossCallReturn call_return; const uint32_t params_count_; DISALLOW_COPY_AND_ASSIGN(CrossCallParams); }; // ActualCallParams models an specific IPC call parameters with respect to the // storage allocation that the packed parameters should need. // NUMBER_PARAMS: the number of parameters, valid from 1 to N // BLOCK_SIZE: the total storage that the NUMBER_PARAMS parameters can take, // typically the block size is defined by the channel size of the underlying // ipc mechanism. // In practice this class is used to levergage C++ capacity to properly // calculate sizes and displacements given the possibility of the packed params // blob to be complex. // // As is, this class assumes that the layout of the blob is as follows. Assume // that NUMBER_PARAMS = 2 and a 32-bit build: // // [ tag 4 bytes] // [ IsOnOut 4 bytes] // [ call return 52 bytes] // [ params count 4 bytes] // [ parameter 0 type 4 bytes] // [ parameter 0 offset 4 bytes] ---delta to ---\ // [ parameter 0 size 4 bytes] | // [ parameter 1 type 4 bytes] | // [ parameter 1 offset 4 bytes] ---------------|--\ // [ parameter 1 size 4 bytes] | | // [ parameter 2 type 4 bytes] | | // [ parameter 2 offset 4 bytes] ----------------------\ // [ parameter 2 size 4 bytes] | | | // |---------------------------| | | | // | value 0 (x bytes) | <--------------/ | | // | value 1 (y bytes) | <-----------------/ | // | | | // | end of buffer | <---------------------/ // |---------------------------| // // Note that the actual number of params is NUMBER_PARAMS + 1 // so that the size of each actual param can be computed from the difference // between one parameter and the next down. The offset of the last param // points to the end of the buffer and the type and size are undefined. // template <size_t NUMBER_PARAMS, size_t BLOCK_SIZE> class ActualCallParams : public CrossCallParams { public: // constructor. Pass the ipc unique tag as input explicit ActualCallParams(uint32_t tag) : CrossCallParams(tag, NUMBER_PARAMS) { param_info_[0].offset_ = static_cast<uint32_t>(parameters_ - reinterpret_cast<char*>(this)); } // Testing-only constructor. Allows setting the |number_params| to a // wrong value. ActualCallParams(uint32_t tag, uint32_t number_params) : CrossCallParams(tag, number_params) { param_info_[0].offset_ = static_cast<uint32_t>(parameters_ - reinterpret_cast<char*>(this)); } // Testing-only method. Allows setting the apparent size to a wrong value. // returns the previous size. uint32_t OverrideSize(uint32_t new_size) { uint32_t previous_size = param_info_[NUMBER_PARAMS].offset_; param_info_[NUMBER_PARAMS].offset_ = new_size; return previous_size; } // Copies each paramter into the internal buffer. For each you must supply: // index: 0 for the first param, 1 for the next an so on bool CopyParamIn(uint32_t index, const void* parameter_address, uint32_t size, bool is_in_out, ArgType type) { if (index >= NUMBER_PARAMS) { return false; } if (UINT32_MAX == size) { // Memory error while getting the size. return false; } if (size && !parameter_address) { return false; } if ((size > sizeof(*this)) || (param_info_[index].offset_ > (sizeof(*this) - size))) { // It does not fit, abort copy. return false; } char* dest = reinterpret_cast<char*>(this) + param_info_[index].offset_; // We might be touching user memory, this has to be done from inside a try // except. __try { memcpy(dest, parameter_address, size); } __except(EXCEPTION_EXECUTE_HANDLER) { return false; } // Set the flag to tell the broker to update the buffer once the call is // made. if (is_in_out) SetIsInOut(true); param_info_[index + 1].offset_ = Align(param_info_[index].offset_ + size); param_info_[index].size_ = size; param_info_[index].type_ = type; return true; } // Returns a pointer to a parameter in the memory section. void* GetParamPtr(size_t index) { return reinterpret_cast<char*>(this) + param_info_[index].offset_; } // Returns the total size of the buffer. Only valid once all the paramters // have been copied in with CopyParamIn. uint32_t GetSize() const { return param_info_[NUMBER_PARAMS].offset_; } protected: ActualCallParams() : CrossCallParams(0, NUMBER_PARAMS) { } private: ParamInfo param_info_[NUMBER_PARAMS + 1]; char parameters_[BLOCK_SIZE - sizeof(CrossCallParams) - sizeof(ParamInfo) * (NUMBER_PARAMS + 1)]; DISALLOW_COPY_AND_ASSIGN(ActualCallParams); }; static_assert(sizeof(ActualCallParams<1, 1024>) == 1024, "bad size buffer"); static_assert(sizeof(ActualCallParams<2, 1024>) == 1024, "bad size buffer"); static_assert(sizeof(ActualCallParams<3, 1024>) == 1024, "bad size buffer"); } // namespace sandbox #endif // SANDBOX_SRC_CROSSCALL_PARAMS_H__