mac: Fix an attachment broker race condition.

ipc/attachment_broker_privileged_mac.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "ipc/attachment_broker_privileged_mac.h"
 
 #include <stdint.h>
 
 #include <tuple>
 
@@ skipping 36 matching lines @@
   switch (attachment->GetBrokerableType()) {
     case BrokerableAttachment::MACH_PORT: {
       internal::MachPortAttachmentMac* mach_port_attachment =
           static_cast<internal::MachPortAttachmentMac*>(attachment.get());
       MachPortWireFormat wire_format =
           mach_port_attachment->GetWireFormat(destination_process);
       AddPrecursor(wire_format.destination_process,
                    base::mac::ScopedMachSendRight(wire_format.mach_port),
                    wire_format.attachment_id);
       mach_port_attachment->reset_mach_port_ownership();
-      SendPrecursorsForProcess(wire_format.destination_process);
+      SendPrecursorsForProcess(wire_format.destination_process, true);
       return true;
     }
     default:
       NOTREACHED();
       return false;
   }
   return false;
 }
 
 void AttachmentBrokerPrivilegedMac::DeregisterCommunicationChannel(
@@ skipping 19 matching lines @@
   {
     base::AutoLock l(extractors_lock_);
     auto it = extractors_.find(pid);
     if (it != extractors_.end()) {
       delete it->second;
       extractors_.erase(pid);
     }
   }
 }
 
+void AttachmentBrokerPrivilegedMac::ReceivedPeerPid(base::ProcessId peer_pid) {
+  ProcessExtractorsForProcess(peer_pid, false);
+  SendPrecursorsForProcess(peer_pid, false);
+}
+
 bool AttachmentBrokerPrivilegedMac::OnMessageReceived(const Message& msg) {
   bool handled = true;
   switch (msg.type()) {
     IPC_MESSAGE_HANDLER_GENERIC(AttachmentBrokerMsg_DuplicateMachPort,
                                 OnDuplicateMachPort(msg))
     IPC_MESSAGE_UNHANDLED(handled = false)
   }
   return handled;
 }
 
 void AttachmentBrokerPrivilegedMac::OnReceivedTaskPort(
     base::ProcessHandle process) {
-  SendPrecursorsForProcess(process);
+  SendPrecursorsForProcess(process, true);
 }
 
 AttachmentBrokerPrivilegedMac::AttachmentPrecursor::AttachmentPrecursor(
     const base::ProcessId& pid,
     base::mac::ScopedMachSendRight port,
     const BrokerableAttachment::AttachmentId& id)
     : pid_(pid), port_(port.release()), id_(id) {}
 
 AttachmentBrokerPrivilegedMac::AttachmentPrecursor::~AttachmentPrecursor() {}
 
@@ skipping 25 matching lines @@
   IPC::internal::MachPortAttachmentMac::WireFormat wire_format =
       std::get<0>(param);
 
   if (wire_format.destination_process == base::kNullProcessId) {
     LogError(NO_DESTINATION);
     return;
   }
 
   AddExtractor(message.get_sender_pid(), wire_format.destination_process,
                wire_format.mach_port, wire_format.attachment_id);
-  ProcessExtractorsForProcess(message.get_sender_pid());
+  ProcessExtractorsForProcess(message.get_sender_pid(), true);
 }
 
 void AttachmentBrokerPrivilegedMac::RoutePrecursorToSelf(
     AttachmentPrecursor* precursor) {
   DCHECK_EQ(base::Process::Current().Pid(), precursor->pid());
 
   // Intentionally leak the port, since the attachment takes ownership.
   internal::MachPortAttachmentMac::WireFormat wire_format(
       precursor->TakePort().release(), precursor->pid(), precursor->id());
   scoped_refptr<BrokerableAttachment> attachment(
       new internal::MachPortAttachmentMac(wire_format));
   HandleReceivedAttachment(attachment);
 }
 
 bool AttachmentBrokerPrivilegedMac::RouteWireFormatToAnother(
     const MachPortWireFormat& wire_format) {
   DCHECK_NE(wire_format.destination_process, base::Process::Current().Pid());
 
   // Another process is the destination.
   base::ProcessId dest = wire_format.destination_process;
   base::AutoLock auto_lock(*get_lock());
   AttachmentBrokerPrivileged::EndpointRunnerPair pair =
       GetSenderWithProcessId(dest);
   if (!pair.first) {
-    // Assuming that this message was not sent from a malicious process, the
-    // channel endpoint that would have received this message will block
-    // forever.
+    // The extractor was successfully processed, which implies that the
+    // communication channel was established. This implies that the
+    // communication was taken down in the interim.
     LOG(ERROR) << "Failed to deliver brokerable attachment to process with id: "
                << dest;
     LogError(DESTINATION_NOT_FOUND);
     return false;
   }
 
   LogError(DESTINATION_FOUND);
   SendMessageToEndpoint(
       pair, new AttachmentBrokerMsg_MachPortHasBeenDuplicated(wire_format));
   return true;
@@ skipping 23 matching lines @@
 
 AttachmentBrokerPrivilegedMac::MachPortWireFormat
 AttachmentBrokerPrivilegedMac::CopyWireFormat(
     const MachPortWireFormat& wire_format,
     uint32_t mach_port) {
   return MachPortWireFormat(mach_port, wire_format.destination_process,
                             wire_format.attachment_id);
 }
 
 void AttachmentBrokerPrivilegedMac::SendPrecursorsForProcess(
-    base::ProcessId pid) {
+    base::ProcessId pid,
+    bool store_on_failure) {
   base::AutoLock l(precursors_lock_);
   auto it = precursors_.find(pid);
   if (it == precursors_.end())
     return;
 
   // Whether this process is the destination process.
   bool to_self = pid == base::GetCurrentProcId();
 
   if (!to_self) {
     base::AutoLock auto_lock(*get_lock());
     AttachmentBrokerPrivileged::EndpointRunnerPair pair =
         GetSenderWithProcessId(pid);
     if (!pair.first) {
-      // If there is no sender, then the destination process is no longer
-      // running, or never existed to begin with.
-      LogError(DESTINATION_NOT_FOUND);
-      delete it->second;
-      precursors_.erase(it);
+      if (store_on_failure) {
+        // Try again later.
+        LogError(DELAYED);
+      } else {
+        // If there is no sender, then permanently fail.
+        LogError(DESTINATION_NOT_FOUND);
+        delete it->second;
+        precursors_.erase(it);
+      }
       return;
     }
   }
 
   mach_port_t task_port = port_provider_->TaskForPid(pid);
 
   // It's possible that the destination process has not yet provided the
   // privileged process with its task port.
   if (!to_self && task_port == MACH_PORT_NULL)
     return;
@@ skipping 56 matching lines @@
   base::AutoLock l(precursors_lock_);
   auto it = precursors_.find(pid);
   if (it == precursors_.end())
     precursors_[pid] = new ScopedVector<AttachmentPrecursor>;
 
   precursors_[pid]->push_back(new AttachmentPrecursor(
       pid, base::mac::ScopedMachSendRight(port.release()), id));
 }
 
 void AttachmentBrokerPrivilegedMac::ProcessExtractorsForProcess(
-    base::ProcessId pid) {
+    base::ProcessId pid,
+    bool store_on_failure) {
   base::AutoLock l(extractors_lock_);
   auto it = extractors_.find(pid);
   if (it == extractors_.end())
     return;
 
   {
     base::AutoLock auto_lock(*get_lock());
     AttachmentBrokerPrivileged::EndpointRunnerPair pair =
         GetSenderWithProcessId(pid);
     if (!pair.first) {
-      // If there is no sender, then the source process is no longer running.
-      LogError(ERROR_SOURCE_NOT_FOUND);
-      delete it->second;
-      extractors_.erase(it);
+      if (store_on_failure) {
+        // If there is no sender, then the communication channel with the source
+        // process has not yet been established. Try again later.
+        LogError(DELAYED);
+      } else {
+        // There is no sender. Permanently fail.
+        LogError(ERROR_SOURCE_NOT_FOUND);
+        delete it->second;
+        extractors_.erase(it);
+      }
       return;
     }
   }
 
   mach_port_t task_port = port_provider_->TaskForPid(pid);
 
   // It's possible that the source process has not yet provided the privileged
   // process with its task port.
   if (task_port == MACH_PORT_NULL)
     return;
@@ skipping 10 matching lines @@
 
 void AttachmentBrokerPrivilegedMac::ProcessExtractor(
     AttachmentExtractor* extractor,
     mach_port_t task_port) {
   DCHECK(task_port);
   base::mac::ScopedMachSendRight send_right =
       ExtractNamedRight(task_port, extractor->port());
   AddPrecursor(extractor->dest_pid(),
                base::mac::ScopedMachSendRight(send_right.release()),
                extractor->id());
-  SendPrecursorsForProcess(extractor->dest_pid());
+  SendPrecursorsForProcess(extractor->dest_pid(), true);
 }
 
 void AttachmentBrokerPrivilegedMac::AddExtractor(
     base::ProcessId source_pid,
     base::ProcessId dest_pid,
     mach_port_name_t port,
     const BrokerableAttachment::AttachmentId& id) {
   base::AutoLock l(extractors_lock_);
   DCHECK_NE(base::GetCurrentProcId(), source_pid);
 
   auto it = extractors_.find(source_pid);
   if (it == extractors_.end())
     extractors_[source_pid] = new ScopedVector<AttachmentExtractor>;
 
   extractors_[source_pid]->push_back(
       new AttachmentExtractor(source_pid, dest_pid, port, id));
 }
 
 }  // namespace IPC