int32_t NaClSysFstat(struct NaClAppThread *natp,
int d,
uint32_t nasp) {
struct NaClApp *nap = natp->nap;
int32_t retval = -NACL_ABI_EINVAL;
struct NaClDesc *ndp;
struct nacl_abi_stat result;
NaClLog(3,
("Entered NaClSysFstat(0x%08"NACL_PRIxPTR
", %d, 0x%08"NACL_PRIx32")\n"),
(uintptr_t) natp, d, nasp);
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
NaClLog(4, "bad desc\n");
retval = -NACL_ABI_EBADF;
goto cleanup;
}
retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
Fstat)(ndp, &result);
if (0 == retval) {
if (!NaClFileAccessEnabled()) {
result.nacl_abi_st_ino = NACL_FAKE_INODE_NUM;
}
if (!NaClCopyOutToUser(nap, nasp, &result, sizeof result)) {
retval = -NACL_ABI_EFAULT;
}
}
NaClDescUnref(ndp);
cleanup:
return retval;
}
int32_t NaClSysFtruncate(struct NaClAppThread *natp,
int d,
uint32_t lengthp) {
struct NaClApp *nap = natp->nap;
struct NaClDesc *ndp;
nacl_abi_off_t length;
int32_t retval = -NACL_ABI_EINVAL;
NaClLog(3,
("Entered NaClSysFtruncate(0x%08"NACL_PRIxPTR", %d,"
" 0x%"NACL_PRIx32")\n"),
(uintptr_t) natp, d, lengthp);
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
retval = -NACL_ABI_EBADF;
goto cleanup;
}
if (!NaClCopyInFromUser(nap, &length, lengthp, sizeof length)) {
retval = -NACL_ABI_EFAULT;
goto cleanup_unref;
}
NaClLog(4, "length 0x%08"NACL_PRIx64"\n", (uint64_t) length);
retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
Ftruncate)(ndp, length);
cleanup_unref:
NaClDescUnref(ndp);
cleanup:
return retval;
}
int32_t NaClSysDup2(struct NaClAppThread *natp,
int oldfd,
int newfd) {
struct NaClApp *nap = natp->nap;
int retval;
struct NaClDesc *old_nd;
NaClLog(3, "NaClSysDup(0x%08"NACL_PRIxPTR", %d, %d)\n",
(uintptr_t) natp, oldfd, newfd);
if (newfd < 0) {
retval = -NACL_ABI_EINVAL;
goto done;
}
/*
* TODO(bsy): is this a reasonable largest sane value? The
* descriptor array shouldn't get too large.
*/
if (newfd >= NACL_MAX_FD) {
retval = -NACL_ABI_EINVAL;
goto done;
}
old_nd = NaClAppGetDesc(nap, oldfd);
if (NULL == old_nd) {
retval = -NACL_ABI_EBADF;
goto done;
}
NaClAppSetDesc(nap, newfd, old_nd);
retval = newfd;
done:
return retval;
}
int32_t NaClSysImcConnect(struct NaClAppThread *natp,
int d) {
struct NaClApp *nap = natp->nap;
int32_t retval = -NACL_ABI_EINVAL;
struct NaClDesc *ndp;
NaClLog(3, "Entered NaClSysImcConnectAddr(0x%08"NACL_PRIxPTR", %d)\n",
(uintptr_t) natp, d);
/* This syscall is not used in Chromium so is disabled by default. */
if (!NaClAclBypassChecks) {
return -NACL_ABI_EACCES;
}
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
retval = -NACL_ABI_EBADF;
} else {
struct NaClDesc *result;
retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
ConnectAddr)(ndp, &result);
if (retval == 0) {
retval = NaClAppSetDescAvail(nap, result);
}
NaClDescUnref(ndp);
}
return retval;
}
int32_t NaClSysDup(struct NaClAppThread *natp,
int oldfd) {
struct NaClApp *nap = natp->nap;
int retval;
struct NaClDesc *old_nd;
NaClLog(3, "NaClSysDup(0x%08"NACL_PRIxPTR", %d)\n",
(uintptr_t) natp, oldfd);
old_nd = NaClAppGetDesc(nap, oldfd);
if (NULL == old_nd) {
retval = -NACL_ABI_EBADF;
goto done;
}
retval = NaClAppSetDescAvail(nap, old_nd);
done:
return retval;
}
/*
* This implements 64-bit offsets, so we use |offp| as an in/out
* address so we can have a 64 bit return value.
*/
int32_t NaClSysLseek(struct NaClAppThread *natp,
int d,
uint32_t offp,
int whence) {
struct NaClApp *nap = natp->nap;
nacl_abi_off_t offset;
nacl_off64_t retval64;
int32_t retval = -NACL_ABI_EINVAL;
struct NaClDesc *ndp;
NaClLog(3,
("Entered NaClSysLseek(0x%08"NACL_PRIxPTR", %d,"
" 0x%08"NACL_PRIx32", %d)\n"),
(uintptr_t) natp, d, offp, whence);
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
retval = -NACL_ABI_EBADF;
goto cleanup;
}
if (!NaClCopyInFromUser(nap, &offset, offp, sizeof offset)) {
retval = -NACL_ABI_EFAULT;
goto cleanup_unref;
}
NaClLog(4, "offset 0x%08"NACL_PRIx64"\n", (uint64_t) offset);
retval64 = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
Seek)(ndp, (nacl_off64_t) offset, whence);
if (NaClOff64IsNegErrno(&retval64)) {
retval = (int32_t) retval64;
} else {
if (NaClCopyOutToUser(nap, offp, &retval64, sizeof retval64)) {
retval = 0;
} else {
NaClLog(LOG_FATAL,
"NaClSysLseek: in/out ptr became invalid at copyout?\n");
}
}
cleanup_unref:
NaClDescUnref(ndp);
cleanup:
return retval;
}
int32_t NaClSysIsatty(struct NaClAppThread *natp,
int d) {
struct NaClApp *nap = natp->nap;
int retval = -NACL_ABI_EBADF;
struct NaClDesc *ndp;
NaClLog(3, "Entered NaClSysIsatty(0x%08"NACL_PRIxPTR", %d)\n",
(uintptr_t) natp, d);
if (!NaClAclBypassChecks) {
return -NACL_ABI_EACCES;
}
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
NaClLog(4, "bad desc\n");
return -NACL_ABI_EBADF;
}
retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->Isatty)(ndp);
NaClDescUnref(ndp);
return retval;
}
int32_t NaClSysFdatasync(struct NaClAppThread *natp,
int d) {
struct NaClApp *nap = natp->nap;
struct NaClDesc *ndp;
int32_t retval = -NACL_ABI_EINVAL;
NaClLog(3,
("Entered NaClSysFdatasync(0x%08"NACL_PRIxPTR", %d)\n"),
(uintptr_t) natp, d);
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
retval = -NACL_ABI_EBADF;
goto cleanup;
}
retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
Fdatasync)(ndp);
NaClDescUnref(ndp);
cleanup:
return retval;
}
int32_t NaClSysImcAccept(struct NaClAppThread *natp,
int d) {
struct NaClApp *nap = natp->nap;
int32_t retval = -NACL_ABI_EINVAL;
struct NaClDesc *ndp;
NaClLog(3, "Entered NaClSysImcAccept(0x%08"NACL_PRIxPTR", %d)\n",
(uintptr_t) natp, d);
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
retval = -NACL_ABI_EBADF;
} else {
struct NaClDesc *result_desc;
retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
AcceptConn)(ndp, &result_desc);
if (retval == 0) {
retval = NaClAppSetDescAvail(nap, result_desc);
}
NaClDescUnref(ndp);
}
return retval;
}
int32_t NaClSysWrite(struct NaClAppThread *natp,
int d,
uint32_t buf,
uint32_t count) {
struct NaClApp *nap = natp->nap;
int32_t retval = -NACL_ABI_EINVAL;
ssize_t write_result = -NACL_ABI_EINVAL;
uintptr_t sysaddr;
char const *ellipsis = "";
struct NaClDesc *ndp;
size_t log_bytes;
NaClLog(3,
"Entered NaClSysWrite(0x%08"NACL_PRIxPTR", "
"%d, 0x%08"NACL_PRIx32", "
"%"NACL_PRIu32"[0x%"NACL_PRIx32"])\n",
(uintptr_t) natp, d, buf, count, count);
ndp = NaClAppGetDesc(nap, d);
NaClLog(4, " ndp = %"NACL_PRIxPTR"\n", (uintptr_t) ndp);
if (NULL == ndp) {
retval = -NACL_ABI_EBADF;
goto cleanup;
}
sysaddr = NaClUserToSysAddrRange(nap, buf, count);
if (kNaClBadAddress == sysaddr) {
NaClDescUnref(ndp);
retval = -NACL_ABI_EFAULT;
goto cleanup;
}
log_bytes = count;
if (log_bytes > INT32_MAX) {
log_bytes = INT32_MAX;
ellipsis = "...";
}
if (NaClLogGetVerbosity() < 10) {
if (log_bytes > kdefault_io_buffer_bytes_to_log) {
log_bytes = kdefault_io_buffer_bytes_to_log;
ellipsis = "...";
}
}
NaClLog(8, "In NaClSysWrite(%d, %.*s%s, %"NACL_PRIu32")\n",
d, (int) log_bytes, (char *) sysaddr, ellipsis, count);
/*
* The maximum length for read and write is INT32_MAX--anything larger and
* the return value would overflow. Passing larger values isn't an error--
* we'll just clamp the request size if it's too large.
*/
if (count > INT32_MAX) {
count = INT32_MAX;
}
NaClVmIoWillStart(nap, buf, buf + count - 1);
write_result = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
Write)(ndp, (void *) sysaddr, count);
NaClVmIoHasEnded(nap, buf, buf + count - 1);
NaClDescUnref(ndp);
/* This cast is safe because we clamped count above.*/
retval = (int32_t) write_result;
cleanup:
return retval;
}
int32_t NaClSysGetdents(struct NaClAppThread *natp,
int d,
uint32_t dirp,
size_t count) {
struct NaClApp *nap = natp->nap;
int32_t retval = -NACL_ABI_EINVAL;
ssize_t getdents_ret;
uintptr_t sysaddr;
struct NaClDesc *ndp;
NaClLog(3,
("Entered NaClSysGetdents(0x%08"NACL_PRIxPTR", "
"%d, 0x%08"NACL_PRIx32", "
"%"NACL_PRIuS"[0x%"NACL_PRIxS"])\n"),
(uintptr_t) natp, d, dirp, count, count);
if (!NaClFileAccessEnabled()) {
/*
* Filesystem access is disabled, so disable the getdents() syscall.
* We do this for security hardening, though it should be redundant,
* because untrusted code should not be able to open any directory
* descriptors (i.e. descriptors with a non-trivial Getdents()
* implementation).
*/
return -NACL_ABI_EACCES;
}
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
retval = -NACL_ABI_EBADF;
goto cleanup;
}
/*
* Generic NaClCopyOutToUser is not sufficient, since buffer size
* |count| is arbitrary and we wouldn't want to have to allocate
* memory in trusted address space to match.
*/
sysaddr = NaClUserToSysAddrRange(nap, dirp, count);
if (kNaClBadAddress == sysaddr) {
NaClLog(4, " illegal address for directory data\n");
retval = -NACL_ABI_EFAULT;
goto cleanup_unref;
}
/*
* Clamp count to INT32_MAX to avoid the possibility of Getdents returning
* a value that is outside the range of an int32.
*/
if (count > INT32_MAX) {
count = INT32_MAX;
}
/*
* Grab addr space lock; getdents should not normally block, though
* if the directory is on a networked filesystem this could, and
* cause mmap to be slower on Windows.
*/
NaClXMutexLock(&nap->mu);
getdents_ret = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
Getdents)(ndp,
(void *) sysaddr,
count);
NaClXMutexUnlock(&nap->mu);
/* drop addr space lock */
if ((getdents_ret < INT32_MIN && !NaClSSizeIsNegErrno(&getdents_ret))
|| INT32_MAX < getdents_ret) {
/* This should never happen, because we already clamped the input count */
NaClLog(LOG_FATAL, "Overflow in Getdents: return value is %"NACL_PRIxS,
(size_t) getdents_ret);
} else {
retval = (int32_t) getdents_ret;
}
if (retval > 0) {
NaClLog(4, "getdents returned %d bytes\n", retval);
NaClLog(8, "getdents result: %.*s\n", retval, (char *) sysaddr);
} else {
NaClLog(4, "getdents returned %d\n", retval);
}
cleanup_unref:
NaClDescUnref(ndp);
cleanup:
return retval;
}
int32_t NaClSysImcRecvmsg(struct NaClAppThread *natp,
int d,
uint32_t nanimhp,
int flags) {
struct NaClApp *nap = natp->nap;
int32_t retval = -NACL_ABI_EINVAL;
ssize_t ssize_retval;
uintptr_t sysaddr;
size_t i;
struct NaClDesc *ndp;
struct NaClAbiNaClImcMsgHdr kern_nanimh;
struct NaClAbiNaClImcMsgIoVec kern_naiov[NACL_ABI_IMC_IOVEC_MAX];
struct NaClImcMsgIoVec kern_iov[NACL_ABI_IMC_IOVEC_MAX];
int32_t usr_desc[NACL_ABI_IMC_USER_DESC_MAX];
struct NaClImcTypedMsgHdr recv_hdr;
struct NaClDesc *new_desc[NACL_ABI_IMC_DESC_MAX];
nacl_abi_size_t num_user_desc;
struct NaClDesc *invalid_desc = NULL;
NaClLog(3,
("Entered NaClSysImcRecvMsg(0x%08"NACL_PRIxPTR", %d,"
" 0x%08"NACL_PRIx32")\n"),
(uintptr_t) natp, d, nanimhp);
/*
* First, we validate user-supplied message headers before
* allocating a receive buffer.
*/
if (!NaClCopyInFromUser(nap, &kern_nanimh, nanimhp, sizeof kern_nanimh)) {
NaClLog(4, "NaClImcMsgHdr not in user address space\n");
retval = -NACL_ABI_EFAULT;
goto cleanup_leave;
}
/* copy before validating */
if (kern_nanimh.iov_length > NACL_ABI_IMC_IOVEC_MAX) {
NaClLog(4, "gather/scatter array too large: %"NACL_PRIdNACL_SIZE"\n",
kern_nanimh.iov_length);
retval = -NACL_ABI_EINVAL;
goto cleanup_leave;
}
if (kern_nanimh.desc_length > NACL_ABI_IMC_USER_DESC_MAX) {
NaClLog(4, "handle vector too long: %"NACL_PRIdNACL_SIZE"\n",
kern_nanimh.desc_length);
retval = -NACL_ABI_EINVAL;
goto cleanup_leave;
}
if (kern_nanimh.iov_length > 0) {
/*
* Copy IOV array into kernel space. Validate this snapshot and do
* user->kernel address conversions on this snapshot.
*/
if (!NaClCopyInFromUser(nap, kern_naiov, (uintptr_t) kern_nanimh.iov,
(kern_nanimh.iov_length * sizeof kern_naiov[0]))) {
NaClLog(4, "gather/scatter array not in user address space\n");
retval = -NACL_ABI_EFAULT;
goto cleanup_leave;
}
/*
* Convert every IOV base from user to system address, validate
* range of bytes are really in user address space.
*/
for (i = 0; i < kern_nanimh.iov_length; ++i) {
sysaddr = NaClUserToSysAddrRange(nap,
(uintptr_t) kern_naiov[i].base,
kern_naiov[i].length);
if (kNaClBadAddress == sysaddr) {
NaClLog(4, "iov number %"NACL_PRIuS" not entirely in user space\n", i);
retval = -NACL_ABI_EFAULT;
goto cleanup_leave;
}
kern_iov[i].base = (void *) sysaddr;
kern_iov[i].length = kern_naiov[i].length;
}
}
if (kern_nanimh.desc_length > 0) {
sysaddr = NaClUserToSysAddrRange(nap,
(uintptr_t) kern_nanimh.descv,
kern_nanimh.desc_length * sizeof(int32_t));
if (kNaClBadAddress == sysaddr) {
retval = -NACL_ABI_EFAULT;
goto cleanup_leave;
}
}
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
NaClLog(4, "receiving descriptor invalid\n");
retval = -NACL_ABI_EBADF;
goto cleanup_leave;
}
recv_hdr.iov = kern_iov;
recv_hdr.iov_length = kern_nanimh.iov_length;
recv_hdr.ndescv = new_desc;
recv_hdr.ndesc_length = NACL_ARRAY_SIZE(new_desc);
memset(new_desc, 0, sizeof new_desc);
recv_hdr.flags = 0; /* just to make it obvious; IMC will clear it for us */
/* lock user memory ranges in kern_naiov */
for (i = 0; i < kern_nanimh.iov_length; ++i) {
NaClVmIoWillStart(nap,
kern_naiov[i].base,
kern_naiov[i].base + kern_naiov[i].length - 1);
}
ssize_retval = NACL_VTBL(NaClDesc, ndp)->RecvMsg(ndp, &recv_hdr, flags);
/* unlock user memory ranges in kern_naiov */
for (i = 0; i < kern_nanimh.iov_length; ++i) {
NaClVmIoHasEnded(nap,
kern_naiov[i].base,
kern_naiov[i].base + kern_naiov[i].length - 1);
}
/*
* retval is number of user payload bytes received and excludes the
* header bytes.
*/
NaClLog(3, "NaClSysImcRecvMsg: RecvMsg() returned %"NACL_PRIdS"\n",
ssize_retval);
if (NaClSSizeIsNegErrno(&ssize_retval)) {
/* negative error numbers all have valid 32-bit representations,
* so this cast is safe. */
retval = (int32_t) ssize_retval;
goto cleanup;
} else if (ssize_retval > INT32_MAX || ssize_retval < INT32_MIN) {
retval = -NACL_ABI_EOVERFLOW;
goto cleanup;
} else {
/* cast is safe due to range check above */
retval = (int32_t) ssize_retval;
}
/*
* NB: recv_hdr.flags may contain NACL_ABI_MESSAGE_TRUNCATED and/or
* NACL_ABI_HANDLES_TRUNCATED.
*/
kern_nanimh.flags = recv_hdr.flags;
/*
* Now internalize the NaClHandles as NaClDesc objects.
*/
num_user_desc = recv_hdr.ndesc_length;
if (kern_nanimh.desc_length < num_user_desc) {
kern_nanimh.flags |= NACL_ABI_RECVMSG_DESC_TRUNCATED;
for (i = kern_nanimh.desc_length; i < num_user_desc; ++i) {
NaClDescUnref(new_desc[i]);
new_desc[i] = NULL;
}
num_user_desc = kern_nanimh.desc_length;
}
invalid_desc = (struct NaClDesc *) NaClDescInvalidMake();
/* prepare to write out to user space the descriptor numbers */
for (i = 0; i < num_user_desc; ++i) {
if (invalid_desc == new_desc[i]) {
usr_desc[i] = kKnownInvalidDescNumber;
NaClDescUnref(new_desc[i]);
} else {
usr_desc[i] = NaClAppSetDescAvail(nap, new_desc[i]);
}
new_desc[i] = NULL;
}
if (0 != num_user_desc &&
!NaClCopyOutToUser(nap, (uintptr_t) kern_nanimh.descv, usr_desc,
num_user_desc * sizeof usr_desc[0])) {
NaClLog(LOG_FATAL,
("NaClSysImcRecvMsg: in/out ptr (descv %"NACL_PRIxPTR
") became invalid at copyout?\n"),
(uintptr_t) kern_nanimh.descv);
}
kern_nanimh.desc_length = num_user_desc;
if (!NaClCopyOutToUser(nap, nanimhp, &kern_nanimh, sizeof kern_nanimh)) {
NaClLog(LOG_FATAL,
"NaClSysImcRecvMsg: in/out ptr (iov) became"
" invalid at copyout?\n");
}
/* copy out updated desc count, flags */
cleanup:
if (retval < 0) {
for (i = 0; i < NACL_ARRAY_SIZE(new_desc); ++i) {
if (NULL != new_desc[i]) {
NaClDescUnref(new_desc[i]);
new_desc[i] = NULL;
}
}
}
NaClDescUnref(ndp);
NaClDescSafeUnref(invalid_desc);
NaClLog(3, "NaClSysImcRecvMsg: returning %d\n", retval);
cleanup_leave:
return retval;
}
/*
* This function converts addresses from user addresses to system
* addresses, copying into kernel space as needed to avoid TOCvTOU
* races, then invokes the descriptor's SendMsg() method.
*/
int32_t NaClSysImcSendmsg(struct NaClAppThread *natp,
int d,
uint32_t nanimhp,
int flags) {
struct NaClApp *nap = natp->nap;
int32_t retval = -NACL_ABI_EINVAL;
ssize_t ssize_retval;
uintptr_t sysaddr;
/* copy of user-space data for validation */
struct NaClAbiNaClImcMsgHdr kern_nanimh;
struct NaClAbiNaClImcMsgIoVec kern_naiov[NACL_ABI_IMC_IOVEC_MAX];
struct NaClImcMsgIoVec kern_iov[NACL_ABI_IMC_IOVEC_MAX];
int32_t usr_desc[NACL_ABI_IMC_USER_DESC_MAX];
/* kernel-side representatin of descriptors */
struct NaClDesc *kern_desc[NACL_ABI_IMC_USER_DESC_MAX];
struct NaClImcTypedMsgHdr kern_msg_hdr;
struct NaClDesc *ndp;
size_t i;
NaClLog(3,
("Entered NaClSysImcSendmsg(0x%08"NACL_PRIxPTR", %d,"
" 0x%08"NACL_PRIx32", 0x%x)\n"),
(uintptr_t) natp, d, nanimhp, flags);
if (!NaClCopyInFromUser(nap, &kern_nanimh, nanimhp, sizeof kern_nanimh)) {
NaClLog(4, "NaClImcMsgHdr not in user address space\n");
retval = -NACL_ABI_EFAULT;
goto cleanup_leave;
}
/* copy before validating contents */
/*
* Some of these checks duplicate checks that will be done in the
* nrd xfer library, but it is better to check before doing the
* address translation of memory/descriptor vectors if those vectors
* might be too long. Plus, we need to copy and validate vectors
* for TOCvTOU race protection, and we must prevent overflows. The
* nrd xfer library's checks should never fire when called from the
* service runtime, but the nrd xfer library might be called from
* other code.
*/
if (kern_nanimh.iov_length > NACL_ABI_IMC_IOVEC_MAX) {
NaClLog(4, "gather/scatter array too large\n");
retval = -NACL_ABI_EINVAL;
goto cleanup_leave;
}
if (kern_nanimh.desc_length > NACL_ABI_IMC_USER_DESC_MAX) {
NaClLog(4, "handle vector too long\n");
retval = -NACL_ABI_EINVAL;
goto cleanup_leave;
}
if (kern_nanimh.iov_length > 0) {
if (!NaClCopyInFromUser(nap, kern_naiov, (uintptr_t) kern_nanimh.iov,
(kern_nanimh.iov_length * sizeof kern_naiov[0]))) {
NaClLog(4, "gather/scatter array not in user address space\n");
retval = -NACL_ABI_EFAULT;
goto cleanup_leave;
}
for (i = 0; i < kern_nanimh.iov_length; ++i) {
sysaddr = NaClUserToSysAddrRange(nap,
(uintptr_t) kern_naiov[i].base,
kern_naiov[i].length);
if (kNaClBadAddress == sysaddr) {
retval = -NACL_ABI_EFAULT;
goto cleanup_leave;
}
kern_iov[i].base = (void *) sysaddr;
kern_iov[i].length = kern_naiov[i].length;
}
}
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
retval = -NACL_ABI_EBADF;
goto cleanup_leave;
}
/*
* make things easier for cleaup exit processing
*/
memset(kern_desc, 0, sizeof kern_desc);
retval = -NACL_ABI_EINVAL;
kern_msg_hdr.iov = kern_iov;
kern_msg_hdr.iov_length = kern_nanimh.iov_length;
if (0 == kern_nanimh.desc_length) {
kern_msg_hdr.ndescv = 0;
kern_msg_hdr.ndesc_length = 0;
} else {
if (!NaClCopyInFromUser(nap, usr_desc, kern_nanimh.descv,
kern_nanimh.desc_length * sizeof usr_desc[0])) {
retval = -NACL_ABI_EFAULT;
goto cleanup;
}
for (i = 0; i < kern_nanimh.desc_length; ++i) {
if (kKnownInvalidDescNumber == usr_desc[i]) {
kern_desc[i] = (struct NaClDesc *) NaClDescInvalidMake();
} else {
/* NaCl modules are ILP32, so this works on ILP32 and LP64 systems */
kern_desc[i] = NaClAppGetDesc(nap, usr_desc[i]);
}
if (NULL == kern_desc[i]) {
retval = -NACL_ABI_EBADF;
goto cleanup;
}
}
kern_msg_hdr.ndescv = kern_desc;
kern_msg_hdr.ndesc_length = kern_nanimh.desc_length;
}
kern_msg_hdr.flags = kern_nanimh.flags;
/* lock user memory ranges in kern_naiov */
for (i = 0; i < kern_nanimh.iov_length; ++i) {
NaClVmIoWillStart(nap,
kern_naiov[i].base,
kern_naiov[i].base + kern_naiov[i].length - 1);
}
ssize_retval = NACL_VTBL(NaClDesc, ndp)->SendMsg(ndp, &kern_msg_hdr, flags);
/* unlock user memory ranges in kern_naiov */
for (i = 0; i < kern_nanimh.iov_length; ++i) {
NaClVmIoHasEnded(nap,
kern_naiov[i].base,
kern_naiov[i].base + kern_naiov[i].length - 1);
}
if (NaClSSizeIsNegErrno(&ssize_retval)) {
/*
* NaClWouldBlock uses TSD (for both the errno-based and
* GetLastError()-based implementations), so this is threadsafe.
*/
if (0 != (flags & NACL_DONT_WAIT) && NaClWouldBlock()) {
retval = -NACL_ABI_EAGAIN;
} else if (-NACL_ABI_EMSGSIZE == ssize_retval) {
/*
* Allow the caller to handle the case when imc_sendmsg fails because
* the message is too large for the system to send in one piece.
*/
retval = -NACL_ABI_EMSGSIZE;
} else {
/*
* TODO(bsy): the else case is some mysterious internal error.
* Should we destroy the ndp or otherwise mark it as bad? Was
* the failure atomic? Did it send some partial data? Linux
* implementation appears okay.
*/
retval = -NACL_ABI_EIO;
}
} else if (ssize_retval > INT32_MAX || ssize_retval < INT32_MIN) {
retval = -NACL_ABI_EOVERFLOW;
} else {
/* cast is safe due to range checks above */
retval = (int32_t)ssize_retval;
}
cleanup:
for (i = 0; i < kern_nanimh.desc_length; ++i) {
if (NULL != kern_desc[i]) {
NaClDescUnref(kern_desc[i]);
kern_desc[i] = NULL;
}
}
NaClDescUnref(ndp);
cleanup_leave:
NaClLog(3, "NaClSysImcSendmsg: returning %d\n", retval);
return retval;
}
/* Warning: sizeof(nacl_abi_off_t)!=sizeof(off_t) on OSX */
int32_t NaClSysMmapIntern(struct NaClApp *nap,
void *start,
size_t length,
int prot,
int flags,
int d,
nacl_abi_off_t offset) {
int allowed_flags;
struct NaClDesc *ndp;
uintptr_t usraddr;
uintptr_t usrpage;
uintptr_t sysaddr;
uintptr_t endaddr;
int mapping_code;
uintptr_t map_result;
int holding_app_lock;
struct nacl_abi_stat stbuf;
size_t alloc_rounded_length;
nacl_off64_t file_size;
nacl_off64_t file_bytes;
nacl_off64_t host_rounded_file_bytes;
size_t alloc_rounded_file_bytes;
uint32_t val_flags;
holding_app_lock = 0;
ndp = NULL;
allowed_flags = (NACL_ABI_MAP_FIXED | NACL_ABI_MAP_SHARED
| NACL_ABI_MAP_PRIVATE | NACL_ABI_MAP_ANONYMOUS);
usraddr = (uintptr_t) start;
if (0 != (flags & ~allowed_flags)) {
NaClLog(2, "invalid mmap flags 0%o, ignoring extraneous bits\n", flags);
flags &= allowed_flags;
}
if (0 != (flags & NACL_ABI_MAP_ANONYMOUS)) {
/*
* anonymous mmap, so backing store is just swap: no descriptor is
* involved, and no memory object will be created to represent the
* descriptor.
*/
ndp = NULL;
} else {
ndp = NaClAppGetDesc(nap, d);
if (NULL == ndp) {
map_result = -NACL_ABI_EBADF;
goto cleanup;
}
}
mapping_code = 0;
/*
* Check if application is trying to do dynamic code loading by
* mmaping a file.
*/
if (0 != (NACL_ABI_PROT_EXEC & prot) &&
0 != (NACL_ABI_MAP_FIXED & flags) &&
NULL != ndp &&
NaClSysCommonAddrRangeInAllowedDynamicCodeSpace(nap, usraddr, length)) {
if (!nap->enable_dyncode_syscalls) {
NaClLog(LOG_WARNING,
"NaClSysMmap: PROT_EXEC when dyncode syscalls are disabled.\n");
map_result = -NACL_ABI_EINVAL;
goto cleanup;
}
if (0 != (NACL_ABI_PROT_WRITE & prot)) {
NaClLog(3,
"NaClSysMmap: asked for writable and executable code pages?!?\n");
map_result = -NACL_ABI_EINVAL;
goto cleanup;
}
mapping_code = 1;
} else if (0 != (prot & NACL_ABI_PROT_EXEC)) {
map_result = -NACL_ABI_EINVAL;
goto cleanup;
}
/*
* Starting address must be aligned to worst-case allocation
* granularity. (Windows.)
*/
if (!NaClIsAllocPageMultiple(usraddr)) {
if ((NACL_ABI_MAP_FIXED & flags) != 0) {
NaClLog(2, "NaClSysMmap: address not allocation granularity aligned\n");
map_result = -NACL_ABI_EINVAL;
goto cleanup;
} else {
NaClLog(2, "NaClSysMmap: Force alignment of misaligned hint address\n");
usraddr = NaClTruncAllocPage(usraddr);
}
}
/*
* Offset should be non-negative (nacl_abi_off_t is signed). This
* condition is caught when the file is stat'd and checked, and
* offset is ignored for anonymous mappings.
*/
if (offset < 0) {
NaClLog(1, /* application bug */
"NaClSysMmap: negative file offset: %"NACL_PRId64"\n",
(int64_t) offset);
map_result = -NACL_ABI_EINVAL;
goto cleanup;
}
/*
* And offset must be a multiple of the allocation unit.
*/
if (!NaClIsAllocPageMultiple((uintptr_t) offset)) {
NaClLog(1,
("NaClSysMmap: file offset 0x%08"NACL_PRIxPTR" not multiple"
" of allocation size\n"),
(uintptr_t) offset);
map_result = -NACL_ABI_EINVAL;
goto cleanup;
}
/*
* Round up to a page size multiple.
*
* Note that if length > 0xffff0000 (i.e. -NACL_MAP_PAGESIZE), rounding
* up the length will wrap around to 0. We check for length == 0 *after*
* rounding up the length to simultaneously check for the length
* originally being 0 and check for the wraparound.
*/
alloc_rounded_length = NaClRoundAllocPage(length);
if (alloc_rounded_length != length) {
if (mapping_code) {
NaClLog(3, "NaClSysMmap: length not a multiple of allocation size\n");
map_result = -NACL_ABI_EINVAL;
goto cleanup;
}
NaClLog(1,
"NaClSysMmap: rounded length to 0x%"NACL_PRIxS"\n",
alloc_rounded_length);
}
if (0 == (uint32_t) alloc_rounded_length) {
map_result = -NACL_ABI_EINVAL;
goto cleanup;
}
/*
* Sanity check in case any later code behaves badly if
* |alloc_rounded_length| is >=4GB. This check shouldn't fail
* because |length| was <4GB and we've already checked for overflow
* when rounding it up.
* TODO(mseaborn): Remove the need for this by using uint32_t for
* untrusted sizes more consistently.
*/
CHECK(alloc_rounded_length == (uint32_t) alloc_rounded_length);
if (NULL == ndp) {
/*
* Note: sentinel values are bigger than the NaCl module addr space.
*/
file_size = kMaxUsableFileSize;
file_bytes = kMaxUsableFileSize;
host_rounded_file_bytes = kMaxUsableFileSize;
alloc_rounded_file_bytes = kMaxUsableFileSize;
} else {
/*
* We stat the file to figure out its actual size.
*
* This is necessary because the POSIXy interface we provide
* allows mapping beyond the extent of a file but Windows'
* interface does not. We simulate the POSIX behaviour on
* Windows.
*/
map_result = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
Fstat)(ndp, &stbuf);
if (0 != map_result) {
goto cleanup;
}
/*
* Preemptively refuse to map anything that's not a regular file or
* shared memory segment. Other types usually report st_size of zero,
* which the code below will handle by just doing a dummy PROT_NONE
* mapping for the requested size and never attempting the underlying
* NaClDesc Map operation. So without this check, the host OS never
* gets the chance to refuse the mapping operation on an object that
* can't do it.
*/
if (!NACL_ABI_S_ISREG(stbuf.nacl_abi_st_mode) &&
!NACL_ABI_S_ISSHM(stbuf.nacl_abi_st_mode)) {
map_result = -NACL_ABI_ENODEV;
goto cleanup;
}
/*
* BUG(bsy): there's a race between this fstat and the actual mmap
* below. It's probably insoluble. Even if we fstat again after
* mmap and compared, the mmap could have "seen" the file with a
* different size, after which the racing thread restored back to
* the same value before the 2nd fstat takes place.
*/
file_size = stbuf.nacl_abi_st_size;
if (file_size < offset) {
map_result = -NACL_ABI_EINVAL;
goto cleanup;
}
file_bytes = file_size - offset;
if ((nacl_off64_t) kMaxUsableFileSize < file_bytes) {
host_rounded_file_bytes = kMaxUsableFileSize;
} else {
host_rounded_file_bytes = NaClRoundHostAllocPage((size_t) file_bytes);
}
ASSERT(host_rounded_file_bytes <= (nacl_off64_t) kMaxUsableFileSize);
/*
* We need to deal with NaClRoundHostAllocPage rounding up to zero
* from ~0u - n, where n < 4096 or 65536 (== 1 alloc page).
*
* Luckily, file_bytes is at most kMaxUsableFileSize which is
* smaller than SIZE_T_MAX, so it should never happen, but we
* leave the explicit check below as defensive programming.
*/
alloc_rounded_file_bytes =
NaClRoundAllocPage((size_t) host_rounded_file_bytes);
if (0 == alloc_rounded_file_bytes && 0 != host_rounded_file_bytes) {
map_result = -NACL_ABI_ENOMEM;
goto cleanup;
}
/*
* NB: host_rounded_file_bytes and alloc_rounded_file_bytes can be
* zero. Such an mmap just makes memory (offset relative to
* usraddr) in the range [0, alloc_rounded_length) inaccessible.
*/
}
/*
* host_rounded_file_bytes is how many bytes we can map from the
* file, given the user-supplied starting offset. It is at least
* one page. If it came from a real file, it is a multiple of
* host-OS allocation size. it cannot be larger than
* kMaxUsableFileSize.
*/
if (mapping_code && (size_t) file_bytes < alloc_rounded_length) {
NaClLog(3,
"NaClSysMmap: disallowing partial allocation page extension for"
" short files\n");
map_result = -NACL_ABI_EINVAL;
goto cleanup;
}
length = size_min(alloc_rounded_length, (size_t) host_rounded_file_bytes);
/*
* Lock the addr space.
*/
NaClXMutexLock(&nap->mu);
NaClVmHoleOpeningMu(nap);
holding_app_lock = 1;
if (0 == (flags & NACL_ABI_MAP_FIXED)) {
/*
* The user wants us to pick an address range.
*/
if (0 == usraddr) {
/*
* Pick a hole in addr space of appropriate size, anywhere.
* We pick one that's best for the system.
*/
usrpage = NaClVmmapFindMapSpace(&nap->mem_map,
alloc_rounded_length >> NACL_PAGESHIFT);
NaClLog(4, "NaClSysMmap: FindMapSpace: page 0x%05"NACL_PRIxPTR"\n",
usrpage);
if (0 == usrpage) {
map_result = -NACL_ABI_ENOMEM;
goto cleanup;
}
usraddr = usrpage << NACL_PAGESHIFT;
NaClLog(4, "NaClSysMmap: new starting addr: 0x%08"NACL_PRIxPTR
"\n", usraddr);
} else {
