| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "ipc/attachment_broker_privileged_win.h" | 5 #include "ipc/attachment_broker_privileged_win.h" |
| 6 | 6 |
| 7 #include <windows.h> | 7 #include <windows.h> |
| 8 | 8 |
| 9 #include <tuple> | 9 #include <tuple> |
| 10 | 10 |
| (...skipping 16 matching lines...) Expand all Loading... |
| 27 case BrokerableAttachment::WIN_HANDLE: { | 27 case BrokerableAttachment::WIN_HANDLE: { |
| 28 internal::HandleAttachmentWin* handle_attachment = | 28 internal::HandleAttachmentWin* handle_attachment = |
| 29 static_cast<internal::HandleAttachmentWin*>(attachment.get()); | 29 static_cast<internal::HandleAttachmentWin*>(attachment.get()); |
| 30 HandleWireFormat wire_format = | 30 HandleWireFormat wire_format = |
| 31 handle_attachment->GetWireFormat(destination_process); | 31 handle_attachment->GetWireFormat(destination_process); |
| 32 HandleWireFormat new_wire_format = | 32 HandleWireFormat new_wire_format = |
| 33 DuplicateWinHandle(wire_format, base::Process::Current().Pid()); | 33 DuplicateWinHandle(wire_format, base::Process::Current().Pid()); |
| 34 handle_attachment->reset_handle_ownership(); | 34 handle_attachment->reset_handle_ownership(); |
| 35 if (new_wire_format.handle == 0) | 35 if (new_wire_format.handle == 0) |
| 36 return false; | 36 return false; |
| 37 RouteDuplicatedHandle(new_wire_format); | 37 RouteDuplicatedHandle(new_wire_format, true); |
| 38 return true; | 38 return true; |
| 39 } | 39 } |
| 40 case BrokerableAttachment::MACH_PORT: | 40 case BrokerableAttachment::MACH_PORT: |
| 41 case BrokerableAttachment::PLACEHOLDER: | 41 case BrokerableAttachment::PLACEHOLDER: |
| 42 NOTREACHED(); | 42 NOTREACHED(); |
| 43 return false; | 43 return false; |
| 44 } | 44 } |
| 45 return false; | 45 return false; |
| 46 } | 46 } |
| 47 | 47 |
| 48 void AttachmentBrokerPrivilegedWin::ReceivedPeerPid(base::ProcessId peer_pid) { |
| 49 auto it = stored_wire_formats_.find(peer_pid); |
| 50 if (it == stored_wire_formats_.end()) |
| 51 return; |
| 52 |
| 53 // Make a copy, and destroy the original. |
| 54 WireFormats wire_formats = it->second; |
| 55 stored_wire_formats_.erase(it); |
| 56 |
| 57 for (const HandleWireFormat& format : wire_formats) { |
| 58 RouteDuplicatedHandle(format, false); |
| 59 } |
| 60 } |
| 61 |
| 48 bool AttachmentBrokerPrivilegedWin::OnMessageReceived(const Message& msg) { | 62 bool AttachmentBrokerPrivilegedWin::OnMessageReceived(const Message& msg) { |
| 49 bool handled = true; | 63 bool handled = true; |
| 50 switch (msg.type()) { | 64 switch (msg.type()) { |
| 51 IPC_MESSAGE_HANDLER_GENERIC(AttachmentBrokerMsg_DuplicateWinHandle, | 65 IPC_MESSAGE_HANDLER_GENERIC(AttachmentBrokerMsg_DuplicateWinHandle, |
| 52 OnDuplicateWinHandle(msg)) | 66 OnDuplicateWinHandle(msg)) |
| 53 IPC_MESSAGE_UNHANDLED(handled = false) | 67 IPC_MESSAGE_UNHANDLED(handled = false) |
| 54 } | 68 } |
| 55 return handled; | 69 return handled; |
| 56 } | 70 } |
| 57 | 71 |
| 58 void AttachmentBrokerPrivilegedWin::OnDuplicateWinHandle( | 72 void AttachmentBrokerPrivilegedWin::OnDuplicateWinHandle( |
| 59 const IPC::Message& message) { | 73 const IPC::Message& message) { |
| 60 AttachmentBrokerMsg_DuplicateWinHandle::Param param; | 74 AttachmentBrokerMsg_DuplicateWinHandle::Param param; |
| 61 if (!AttachmentBrokerMsg_DuplicateWinHandle::Read(&message, ¶m)) | 75 if (!AttachmentBrokerMsg_DuplicateWinHandle::Read(&message, ¶m)) |
| 62 return; | 76 return; |
| 63 IPC::internal::HandleAttachmentWin::WireFormat wire_format = | 77 IPC::internal::HandleAttachmentWin::WireFormat wire_format = |
| 64 std::get<0>(param); | 78 std::get<0>(param); |
| 65 | 79 |
| 66 if (wire_format.destination_process == base::kNullProcessId) { | 80 if (wire_format.destination_process == base::kNullProcessId) { |
| 67 LogError(NO_DESTINATION); | 81 LogError(NO_DESTINATION); |
| 68 return; | 82 return; |
| 69 } | 83 } |
| 70 | 84 |
| 71 HandleWireFormat new_wire_format = | 85 HandleWireFormat new_wire_format = |
| 72 DuplicateWinHandle(wire_format, message.get_sender_pid()); | 86 DuplicateWinHandle(wire_format, message.get_sender_pid()); |
| 73 RouteDuplicatedHandle(new_wire_format); | 87 RouteDuplicatedHandle(new_wire_format, true); |
| 74 } | 88 } |
| 75 | 89 |
| 76 void AttachmentBrokerPrivilegedWin::RouteDuplicatedHandle( | 90 void AttachmentBrokerPrivilegedWin::RouteDuplicatedHandle( |
| 77 const HandleWireFormat& wire_format) { | 91 const HandleWireFormat& wire_format, |
| 92 bool store_on_failure) { |
| 78 // This process is the destination. | 93 // This process is the destination. |
| 79 if (wire_format.destination_process == base::Process::Current().Pid()) { | 94 if (wire_format.destination_process == base::Process::Current().Pid()) { |
| 80 scoped_refptr<BrokerableAttachment> attachment( | 95 scoped_refptr<BrokerableAttachment> attachment( |
| 81 new internal::HandleAttachmentWin(wire_format)); | 96 new internal::HandleAttachmentWin(wire_format)); |
| 82 HandleReceivedAttachment(attachment); | 97 HandleReceivedAttachment(attachment); |
| 83 return; | 98 return; |
| 84 } | 99 } |
| 85 | 100 |
| 86 // Another process is the destination. | 101 // Another process is the destination. |
| 87 base::ProcessId dest = wire_format.destination_process; | 102 base::ProcessId dest = wire_format.destination_process; |
| 88 base::AutoLock auto_lock(*get_lock()); | 103 base::AutoLock auto_lock(*get_lock()); |
| 89 AttachmentBrokerPrivileged::EndpointRunnerPair pair = | 104 AttachmentBrokerPrivileged::EndpointRunnerPair pair = |
| 90 GetSenderWithProcessId(dest); | 105 GetSenderWithProcessId(dest); |
| 91 if (!pair.first) { | 106 if (!pair.first) { |
| 92 // Assuming that this message was not sent from a malicious process, the | 107 if (store_on_failure) { |
| 93 // channel endpoint that would have received this message will block | 108 LogError(DELAYED); |
| 94 // forever. | 109 stored_wire_formats_[dest].push_back(wire_format); |
| 95 LOG(ERROR) << "Failed to deliver brokerable attachment to process with id: " | 110 } else { |
| 96 << dest; | 111 // Assuming that this message was not sent from a malicious process, the |
| 97 LogError(DESTINATION_NOT_FOUND); | 112 // channel endpoint that would have received this message will block |
| 113 // forever. |
| 114 LOG(ERROR) |
| 115 << "Failed to deliver brokerable attachment to process with id: " |
| 116 << dest; |
| 117 LogError(DESTINATION_NOT_FOUND); |
| 118 } |
| 98 return; | 119 return; |
| 99 } | 120 } |
| 100 | 121 |
| 101 LogError(DESTINATION_FOUND); | 122 LogError(DESTINATION_FOUND); |
| 123 if (!store_on_failure) |
| 124 LogError(DELAYED_SEND); |
| 125 |
| 102 SendMessageToEndpoint( | 126 SendMessageToEndpoint( |
| 103 pair, new AttachmentBrokerMsg_WinHandleHasBeenDuplicated(wire_format)); | 127 pair, new AttachmentBrokerMsg_WinHandleHasBeenDuplicated(wire_format)); |
| 104 } | 128 } |
| 105 | 129 |
| 106 AttachmentBrokerPrivilegedWin::HandleWireFormat | 130 AttachmentBrokerPrivilegedWin::HandleWireFormat |
| 107 AttachmentBrokerPrivilegedWin::DuplicateWinHandle( | 131 AttachmentBrokerPrivilegedWin::DuplicateWinHandle( |
| 108 const HandleWireFormat& wire_format, | 132 const HandleWireFormat& wire_format, |
| 109 base::ProcessId source_pid) { | 133 base::ProcessId source_pid) { |
| 110 // If the source process is the destination process, then no additional work | 134 // If the source process is the destination process, then no additional work |
| 111 // is required. | 135 // is required. |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 151 | 175 |
| 152 AttachmentBrokerPrivilegedWin::HandleWireFormat | 176 AttachmentBrokerPrivilegedWin::HandleWireFormat |
| 153 AttachmentBrokerPrivilegedWin::CopyWireFormat( | 177 AttachmentBrokerPrivilegedWin::CopyWireFormat( |
| 154 const HandleWireFormat& wire_format, | 178 const HandleWireFormat& wire_format, |
| 155 int handle) { | 179 int handle) { |
| 156 return HandleWireFormat(handle, wire_format.destination_process, | 180 return HandleWireFormat(handle, wire_format.destination_process, |
| 157 wire_format.permissions, wire_format.attachment_id); | 181 wire_format.permissions, wire_format.attachment_id); |
| 158 } | 182 } |
| 159 | 183 |
| 160 } // namespace IPC | 184 } // namespace IPC |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1979533003:
Fix an attachment broker race condition. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master