Enable the service runtime to use a zero-based sandbox on Linux.

src/trusted/service_runtime/arch/arm/sel_addrspace_arm.c

 /*
  * Copyright 2009 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can
  * be found in the LICENSE file.
  */
 
 #include "native_client/src/include/nacl_platform.h"
 #include "native_client/src/shared/platform/nacl_check.h"
 #include "native_client/src/trusted/service_runtime/nacl_error_code.h"
 #include "native_client/src/trusted/service_runtime/sel_ldr.h"
 #include "native_client/src/trusted/service_runtime/sel_memory.h"
 
 
-#define POST_ADDR_SPACE_GUARD_SIZE  (2 * NACL_PAGESIZE)
-
 /*
  * On ARM, we cheat slightly: we add two pages to the requested allocation!
  * This accomodates the guard region we require at the top end of untrusted
  * memory.
  */
+#define POST_ADDR_SPACE_GUARD_SIZE  (2 * NACL_PAGESIZE)
+
+/* NOTE: This routine is almost identical to the x86_32 version.
+ */
 NaClErrorCode NaClAllocateSpace(void **mem, size_t addrsp_size) {
-  CHECK(mem);
+#if NACL_LINUX
+  const void *ONE_MEGABYTE = (void *)(1024*1024);
+#endif
+  int result;
+
+  CHECK(NULL != mem);
 
   addrsp_size += POST_ADDR_SPACE_GUARD_SIZE;
+#if NACL_LINUX
+  /*
+   * When creating a zero-based sandbox, we do not allocate the first 64K of
+   * pages beneath the trampolines, because -- on Linux at least -- we cannot.
+   * Instead, we allocate starting at the trampolines, and then coerce the
+   * "mem" out parameter.
+   */
   addrsp_size -= NACL_TRAMPOLINE_START;
-
   *mem = (void *) NACL_TRAMPOLINE_START;
-  if (NaCl_page_alloc_at_addr(mem, addrsp_size) != 0) {
+  /*
+   * On 32 bit Linux, a 1 gigabyte block of address space may be reserved at
+   * the zero-end of the address space during process creation, to address
+   * sandbox layout requirements on ARM and performance issues on Intel ATOM.
+   * Look for this pre-reserved block and if found, pass its address to the
+   * page allocation function.
+   */
+  if (NaCl_find_prereserved_sandbox_memory(mem, addrsp_size)) {
+    /* Sanity check zero sandbox base address. */
+    /* It should be within a few pages above the 64KB boundary. See   */

[Mark Seaborn, 2011/08/23 18:26:36]

Nit: Comment style

[Brad Chen, 2011/08/23 21:15:09]

Done.

+    /* chrome/nacl/nacl_helper_bootstrap.c in the Chromium repository */
+    /* for more details. */
+    if (0 == *mem || ONE_MEGABYTE < *mem) {

[bsy, 2011/08/23 18:31:23]

just assigned to *mem NACL_TRAMPOLINE_START, so always false?  *unless*
NaCl_find_prereserved_sandbox_memory changed it?  this seems confusing.

and looking at NaCl_f_p_s_m, *p = 0 occurs early on, so it *always* overwrites,
and the initialization above is a no-op.

[Brad Chen, 2011/08/23 21:15:09]

I moved initialization into else clause where it is useful.

On 2011/08/23 18:31:23, bsy wrote:

+      NaClLog(LOG_ERROR, "NaClAllocateSpace:"
+                         "Can't handle sandbox at high address"
+                         "0x%08"NACL_PRIxPTR"\n",
+              (uintptr_t)*mem);
+      return LOAD_NO_MEMORY;
+    }

[bsy, 2011/08/23 18:43:19]

if we find memory, we should ensure squatting between vm.mmap_min_addr the same
as for x86-32 linux.  at least a TODO here please

[Brad Chen, 2011/08/23 21:15:09]

I think this is already taken care of. You need to look at the Chrome side as
well, chrome/nacl/nacl_helper_bootstrap_linux.c and chrome/nacl.gypi. The
nacl_helper_bootstrap loads at 64K, and the code below protects up to 64K, so
everything should be covered.

On 2011/08/23 18:43:19, bsy wrote:

+  } else {
+    /* Zero-based sandbox not pre-reserved. Try anyways. */
+    /* TODO(bradchen): delete once new code is working.  */
+  }
+  result = NaCl_page_alloc_at_addr(mem, addrsp_size);

[bsy, 2011/08/23 18:31:23]

since NaCl_find_prereserved_sandbox_memory had zeroed out *mem, we aren't
allocating at NACL_TRAMPOLINE_START like it used to.  this probably breaks arm
code.

[Brad Chen, 2011/08/23 21:15:09]

If *mem is zero after NaCl_fpsm(), then we will return above with
LOAD_NO_MEMORY. *mem is non-zero for all other paths. I can add an assert (0 !=
*mem) here if you like.

On 2011/08/23 18:31:23, bsy wrote:

+  *mem = 0;
+#else
+# error "I only know how to allocate memory for ARM on Linux."
+#endif
+  if (0 != result) {
     NaClLog(2,
-        "NaClAllocateSpace: NaCl_page_alloc_at_addr 0x%08"NACL_PRIxPTR
-        " failed\n",
-        (uintptr_t) *mem);
+            "NaClAllocateSpace: NaCl_page_alloc_at_addr 0x%08"NACL_PRIxPTR
+            " failed\n",
+            (uintptr_t) *mem);
     return LOAD_NO_MEMORY;
   }
   NaClLog(4, "NaClAllocateSpace: %"NACL_PRIxPTR", %"NACL_PRIxS"\n",
           (uintptr_t) *mem,
           addrsp_size);
 
-  /*
-   * makes sel_ldr think that the module's address space is at 0x0, this where
-   * it should be
-   */
-  *mem = 0x0;
-
   return LOAD_OK;
 }
 
 /*
  * In the ARM sandboxing scheme we put the NaCl module at low virtual
  * address -- and thus there can only ever be one running NaCl app per
  * sel_ldr process -- to simplify the address masking etc needed for
  * the sandboxing.  All memory below ((uintptr_t) 1) << nap->addr_bits
  * is accessible to the NaCl app, and modulo page protection,
  * potentially writable.  Page protection is, of course, used to
@@ skipping 11 matching lines @@
    * address 0x0, so we mmap it at the start of a trampoline region.
    * Therefore, there is not need to mprotect at the start_addr.
    *
    * However, we do create a vmmap entry to describe it.
    */
   NaClLog(3,
           ("NULL detection region start 0x%08"NACL_PRIxPTR", "
            "size 0x%08x, end 0x%08"NACL_PRIxPTR"\n"),
           0, NACL_SYSCALL_START_ADDR,
           NACL_SYSCALL_START_ADDR);
+
   if (!NaClVmmapAdd(&nap->mem_map,
                     nap->mem_start >> NACL_PAGESHIFT,
                     NACL_SYSCALL_START_ADDR >> NACL_PAGESHIFT,
                     PROT_NONE,
                     (struct NaClMemObj *) NULL)) {
     NaClLog(LOG_ERROR, ("NaClMemoryProtection: NaClVmmapAdd failed"
                         " (NULL pointer guard page)\n"));
     return LOAD_MPROTECT_FAIL;
   }
 
@@ skipping 17 matching lines @@
    * NB: the pages just mapped are OUTSIDE of the address space of the
    * NaCl module.  We should not track them in the Vmmap structure,
    * since that's to track addressable memory for mapping and unmapping.
    *
    * This means that because these pages are implicit and not tracked,
    * we should have a hook to tear down these pages as part of the
    * NaClApp dtor.
    */
   return LOAD_OK;
 }