[WIP] Plan B: no service_runtime dependency with more copy-paste.

components/nacl/loader/nonsfi/irt_thread.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <errno.h>
 #include <pthread.h>
+#include <signal.h>
 #include <stdlib.h>
+#include <sys/mman.h>
 
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "components/nacl/loader/nonsfi/irt_interfaces.h"
-#include "native_client/src/trusted/service_runtime/nacl_signal.h"
 
 namespace nacl {
 namespace nonsfi {
 namespace {
 
 // We heuristically chose 1M for the stack size per thread.
 const int kStackSize = 1024 * 1024;
 
 // For RAII of pthread_attr_t.
 class ScopedPthreadAttrPtr {
@@ skipping 13 matching lines @@
   void* thread_ptr;
   void* signal_stack;
 };
 
 // A thread local pointer to support nacl_irt_tls.
 // This should be initialized at the beginning of ThreadMain, which is a thin
 // wrapper of a user function called on a newly created thread, and may be
 // reset via IrtTlsInit(). The pointer can be obtained via IrtTlsGet().
 __thread void* g_thread_ptr;
 
+const int kSignalStackSize = SIGSTKSZ + 4096;
+const int kNonSfiPageSize = 4096;  // really?
+const int kStackGuardSize = kNonSfiPageSize;
+
+void NaClSignalStackRegister(void *stack) {
+  /*
+   * If we set up signal handlers, we must ensure that any thread that
+   * runs untrusted code has an alternate signal stack set up.  The
+   * default for a new thread is to use the stack pointer from the
+   * point at which the fault occurs, but it would not be safe to use
+   * untrusted code's %esp/%rsp value.
+   */
+  stack_t st;
+  st.ss_size = kSignalStackSize;
+  st.ss_sp = ((uint8_t *) stack) + kStackGuardSize;
+  st.ss_flags = 0;
+  if (sigaltstack(&st, NULL) != 0) {
+    PLOG(FATAL) << "Failed to register signal stack";
+  }
+}
+
+int NaClSignalStackAllocate(void **result) {
+  /*
+   * We use mmap() to allocate the signal stack for two reasons:
+   *
+   * 1) By page-aligning the memory allocation (which malloc() does
+   * not do for small allocations), we avoid allocating any real
+   * memory in the common case in which the signal handler is never
+   * run.
+   *
+   * 2) We get to create a guard page, to guard against the unlikely
+   * occurrence of the signal handler both overrunning and doing so in
+   * an exploitable way.
+   */
+  void *stack = mmap(NULL, kSignalStackSize + kStackGuardSize,
+                     PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON,
+                     -1, 0);
+  if (stack == MAP_FAILED) {
+    return 0;
+  }
+  /* We assume that the stack grows downwards. */
+  if (mprotect(stack, kStackGuardSize, PROT_NONE) != 0) {
+    PLOG(FATAL) << "Failed to mprotect() the stack guard page";
+  }
+  *result = stack;
+  return 1;
+}
+
 void* ThreadMain(void *arg) {
   ::scoped_ptr<ThreadContext> context(static_cast<ThreadContext*>(arg));
   g_thread_ptr = context->thread_ptr;
 
   DVLOG(4) << "Registering alternate signal stack: " << context->signal_stack;
   NaClSignalStackRegister(context->signal_stack);
 
   // Release the memory of context before running start_func.
   void (*start_func)() = context->start_func;
   context.reset();
@@ skipping 30 matching lines @@
   error = pthread_create(&tid, &attr, ThreadMain, context.get());
   if (error != 0)
     return error;
 
   // The ownership of the context is taken by the created thread. So, here we
   // just manually release it.
   ignore_result(context.release());
   return 0;
 }
 
+void* NaClSignalStackUnregister(void) {
+  /*
+   * Unregister the signal stack in case a fault occurs between the
+   * thread deallocating the signal stack and exiting.  Such a fault
+   * could be unsafe if the address space were reallocated before the
+   * fault, although that is unlikely.
+   */
+  stack_t st;
+  st.ss_size = 0;
+  st.ss_sp = NULL;
+  st.ss_flags = SS_DISABLE;
+  stack_t old_stack;
+  if (sigaltstack(&st, &old_stack) != 0) {
+    PLOG(FATAL) << "Failed to unregister signal stack.";
+  }
+  return old_stack.ss_sp;
+}
+
+void NaClSignalStackFree(void *stack) {
+  CHECK(stack != NULL);
+  if (munmap(stack, kSignalStackSize + kStackGuardSize) != 0) {
+    PLOG(FATAL) << "Failed to munmap() signal stack.";
+  }
+}
+
 void IrtThreadExit(int32_t* stack_flag) {
   // As we actually don't use stack given to thread_create, it means that the
   // memory can be released whenever.
   if (stack_flag)
     *stack_flag = 0;
+  NaClSignalStackUnregister();
+  // TODO: How do I know altstack address ? Should I trust sigaltstack
+  // return value ?
+  // NaClSignalStackFree(signal_stack);
   pthread_exit(NULL);
 }
 
 int IrtThreadNice(const int nice) {
   // TODO(https://code.google.com/p/nativeclient/issues/detail?id=3734):
   // Implement this method.
   // Note that this is just a hint, so here we just return success without
   // do anything.
   return 0;
 }
@@ skipping 15 matching lines @@
   IrtThreadNice,
 };
 
 const nacl_irt_tls kIrtTls = {
   IrtTlsInit,
   IrtTlsGet,
 };
 
 }  // namespace nonsfi
 }  // namespace nacl