Pepper: Stop using SRPC for irt_open_resource().

components/nacl/loader/nacl_ipc_adapter.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/loader/nacl_ipc_adapter.h"
 
 #include <limits.h>
 #include <string.h>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/shared_memory.h"
+#include "base/task_runner_util.h"
 #include "build/build_config.h"
 #include "ipc/ipc_channel.h"
 #include "ipc/ipc_platform_file.h"
 #include "native_client/src/trusted/desc/nacl_desc_base.h"
 #include "native_client/src/trusted/desc/nacl_desc_custom.h"
 #include "native_client/src/trusted/desc/nacl_desc_imc_shm.h"
 #include "native_client/src/trusted/desc/nacl_desc_io.h"
 #include "native_client/src/trusted/desc/nacl_desc_quota.h"
 #include "native_client/src/trusted/desc/nacl_desc_quota_interface.h"
 #include "native_client/src/trusted/desc/nacl_desc_sync_socket.h"
 #include "native_client/src/trusted/desc/nacl_desc_wrapper.h"
 #include "native_client/src/trusted/service_runtime/include/sys/fcntl.h"
+#include "native_client/src/trusted/validator/rich_file_info.h"
 #include "ppapi/c/ppb_file_io.h"
 #include "ppapi/proxy/ppapi_messages.h"
 #include "ppapi/proxy/serialized_handle.h"
 
 using ppapi::proxy::NaClMessageScanner;
 
 namespace {
 
 enum BufferSizeStatus {
   // The buffer contains a full message with no extra bytes.
@@ skipping 285 matching lines @@
 
 NaClIPCAdapter::IOThreadData::~IOThreadData() {
 }
 
 NaClIPCAdapter::NaClIPCAdapter(const IPC::ChannelHandle& handle,
                                base::TaskRunner* runner)
     : lock_(),
       cond_var_(&lock_),
       task_runner_(runner),
       locked_data_() {
+  main_task_runner_ = base::MessageLoop::current()->task_runner();

[Mark Seaborn, 2014/09/09 04:42:30]

I can't see any uses of this.

[teravest, 2014/09/09 16:49:06]

Removed.

   io_thread_data_.channel_ = IPC::Channel::CreateServer(handle, this);
   // Note, we can not PostTask for ConnectChannelOnIOThread here. If we did,
   // and that task ran before this constructor completes, the reference count
   // would go to 1 and then to 0 because of the Task, before we've been returned
   // to the owning scoped_refptr, which is supposed to give us our first
   // ref-count.
 }
 
 NaClIPCAdapter::NaClIPCAdapter(scoped_ptr<IPC::Channel> channel,
                                base::TaskRunner* runner)
@@ skipping 116 matching lines @@
 }
 
 #if defined(OS_POSIX)
 int NaClIPCAdapter::TakeClientFileDescriptor() {
   return io_thread_data_.channel_->TakeClientFileDescriptor();
 }
 #endif
 
 bool NaClIPCAdapter::OnMessageReceived(const IPC::Message& msg) {
   uint32_t type = msg.type();
+
   if (type == IPC_REPLY_ID) {
     int id = IPC::SyncMessage::GetMessageId(msg);
     IOThreadData::PendingSyncMsgMap::iterator it =
         io_thread_data_.pending_sync_msgs_.find(id);
     DCHECK(it != io_thread_data_.pending_sync_msgs_.end());
     if (it != io_thread_data_.pending_sync_msgs_.end()) {
       type = it->second;
       io_thread_data_.pending_sync_msgs_.erase(it);
     }
   }
+  // Handle PpapiHostMsg_OpenResource outside the lock as it requires sending
+  // IPC to handle properly.
+  if (type == PpapiHostMsg_OpenResource::ID) {
+    PickleIterator iter = IPC::SyncMessage::GetDataIterator(&msg);
+    ppapi::proxy::SerializedHandle sh;
+    uint64_t token_lo;
+    uint64_t token_hi;
+    if (!IPC::ReadParam(&msg, &iter, &sh) ||
+        !IPC::ReadParam(&msg, &iter, &token_lo) ||
+        !IPC::ReadParam(&msg, &iter, &token_hi)) {
+      return false;
+    }
 
+    if (sh.IsHandleValid() && (token_lo != 0 || token_hi != 0)) {
+      // We've received a valid file token, but we have to validate it with the

[Mark Seaborn, 2014/09/09 04:42:29]

This is a little misleading.  The token doesn't *have* to be validated.  The
NaCl process only has to exchange the token for a new FD in order to use the new
FD with identity-based validation caching.

[teravest, 2014/09/09 16:49:06]

I've reworded this to be more precise, but it's a bit longer now. :(

+      // browser before it can be used. This is to prevent a compromised
+      // renderer from running arbitrary code in the NaCl process.
+      DCHECK(!resolve_file_token_cb_.is_null());
+
+      // resolve_file_token_cb_ must be invoked from the main thread.
+      resolve_file_token_cb_.Run(
+          token_lo,
+          token_hi,
+          base::Bind(&NaClIPCAdapter::OnFileTokenResolved,
+                     this,
+                     msg));
+
+      // In this case, we don't release the message to NaCl untrusted code
+      // immediately. We defer it until we get an async message back from the
+      // browser process.
+      return true;
+    }
+  }
+  return RewriteMessage(msg, type);
+}
+
+bool NaClIPCAdapter::RewriteMessage(const IPC::Message& msg, uint32_t type) {
   {
     base::AutoLock lock(lock_);
     scoped_refptr<RewrittenMessage> rewritten_msg(new RewrittenMessage);
 
     typedef std::vector<ppapi::proxy::SerializedHandle> Handles;
     Handles handles;
     scoped_ptr<IPC::Message> new_msg;
 
     if (!locked_data_.nacl_msg_scanner_.ScanMessage(
             msg, type, &handles, &new_msg))
@@ skipping 42 matching lines @@
             desc = MakeNaClDescQuota(
                 locked_data_.nacl_msg_scanner_.GetFile(iter->file_io()),
                 desc);
           }
           if (desc)
             nacl_desc.reset(new NaClDescWrapper(desc));
           break;
         }
 
         case ppapi::proxy::SerializedHandle::INVALID: {
-          // Nothing to do. TODO(dmichael): Should we log this? Or is it
-          // sometimes okay to pass an INVALID handle?
+          // Nothing to do.
           break;
         }
         // No default, so the compiler will warn us if new types get added.
       }
       if (nacl_desc.get())
         rewritten_msg->AddDescriptor(nacl_desc.release());
     }
     if (new_msg)
       SaveMessage(*new_msg, rewritten_msg.get());
     else
       SaveMessage(msg, rewritten_msg.get());
     cond_var_.Signal();
   }
   return true;
 }
 
+scoped_ptr<IPC::Message> CreateOpenResourceReply(
+    const IPC::Message& orig_msg,
+    ppapi::proxy::SerializedHandle sh) {
+  scoped_ptr<IPC::Message> new_msg(new IPC::Message(
+      orig_msg.routing_id(),
+      orig_msg.type(),
+      IPC::Message::PRIORITY_NORMAL));
+
+  // We have to rewrite the message a bit here to clear the file token
+  // data.
+  new_msg->set_reply();
+  new_msg->WriteInt(IPC::SyncMessage::GetMessageId(orig_msg));

[Mark Seaborn, 2014/09/09 04:42:29]

Comment that this needs to be kept in sync with SyncMessage::WriteSyncHeader()? 
What ensures this is kept in sync?

Hmm, I suppose nacl_message_scanner.cc has that issue already.

[teravest, 2014/09/09 16:49:06]

I've added a comment. Nothing ensures that this is kept in sync today.
I tried using SyncMessage::GenerateReply, but that caused some test failures, so
I didn't investigate further.

+
+  // Write the SerializedHandle. There's only ever one in this message, so
+  // we just write an index of zero.
+  ppapi::proxy::SerializedHandle::WriteHeader(sh.header(),
+                                              new_msg.get());
+  new_msg->WriteBool(true);

[Mark Seaborn, 2014/09/09 04:42:30]

Comment that this is the "valid" field here?

What keeps this in sync with the ParamTraits implementations in
ipc_message_utils.cc?  (nacl_message_scanner.cc has this issue already too...)

[teravest, 2014/09/09 16:49:06]

I've added a comment. Nothing keeps this in sync, sadly. I don't like how this
is organized right now, but I can't reuse the implementation in ParamTraits with
the use of RewrittenMessage in this file.

+  new_msg->WriteInt(0);

[Mark Seaborn, 2014/09/09 04:42:29]

Comment that this is the index into the message's array of FDs?

[teravest, 2014/09/09 16:49:06]

Done.

+
+  // Write empty file tokens.
+  new_msg->WriteUInt64(0);

[Mark Seaborn, 2014/09/09 04:42:29]

Comment "// token_{lo,hi}" here?

[teravest, 2014/09/09 16:49:06]

Done.

+  new_msg->WriteUInt64(0);
+  return new_msg.Pass();
+}
+
+void NaClIPCAdapter::OnFileTokenResolved(const IPC::Message& orig_msg,
+                                         IPC::PlatformFileForTransit ipc_fd,
+                                         base::FilePath file_path) {
+  if (ipc_fd == IPC::InvalidPlatformFileForTransit()) {
+    // The file token didn't resolve successfully, so we give the

[Mark Seaborn, 2014/09/09 04:42:29]

IIRC, this path only happens when the GetFilePath() call in nacl_process_host.cc
fails, when the token isn't found in the cache.

This code path isn't exercised by the tests, is it?  If not, can you comment
that here, and add a TEST= field to say how this can be manually tested?

[teravest, 2014/09/09 16:49:06]

I've added a comment.

+    // original FD to the client without making a validated NaClDesc.
+    // However, we must rewrite the message to clear the file tokens.
+    PickleIterator iter = IPC::SyncMessage::GetDataIterator(&orig_msg);
+    ppapi::proxy::SerializedHandle sh;
+
+    // We know that this can be read safely; see the original read in
+    // OnMessageRecieved().

[Mark Seaborn, 2014/09/09 04:42:30]

"Received"

[teravest, 2014/09/09 16:49:06]

Done.

+    CHECK(IPC::ReadParam(&orig_msg, &iter, &sh));
+    scoped_ptr<IPC::Message> new_msg = CreateOpenResourceReply(orig_msg, sh);
+
+    // TODO(teravest): Clean up NaClHandle casting throughout this file.
+
+    scoped_ptr<NaClDescWrapper> desc_wrapper(new NaClDescWrapper(
+        NaClDescIoDescFromHandleAllocCtor(
+#if defined(OS_WIN)
+            (NaClHandle) sh.descriptor(),
+#else
+            (NaClHandle) sh.descriptor().fd,
+#endif
+            NACL_ABI_O_RDONLY)));
+
+    scoped_refptr<RewrittenMessage> rewritten_msg(new RewrittenMessage);
+    rewritten_msg->AddDescriptor(desc_wrapper.release());
+    {
+      base::AutoLock lock(lock_);
+      SaveMessage(*new_msg, rewritten_msg.get());
+      cond_var_.Signal();
+    }
+    return;
+  }
+
+  // The file token was sucessfully resolved.
+  std::string file_path_str = file_path.AsUTF8Unsafe();
+  base::PlatformFile handle =
+      IPC::PlatformFileForTransitToPlatformFile(ipc_fd);
+  int32_t new_fd;
+#if defined(OS_WIN)
+  // On Windows, valid handles are 32 bit unsigned integers so this is
+  // safe.
+  new_fd = reinterpret_cast<uintptr_t>(handle);
+#else
+  new_fd = handle;
+#endif
+  // The file token was resolved successfully, so we populate the new
+  // NaClDesc with that information.
+  char* alloc_file_path = static_cast<char*>(
+      malloc(file_path_str.length() + 1));
+  strcpy(alloc_file_path, file_path_str.c_str());
+  scoped_ptr<NaClDescWrapper> desc_wrapper(new NaClDescWrapper(
+      NaClDescIoDescFromHandleAllocCtor(
+          (NaClHandle) new_fd, NACL_ABI_O_RDONLY)));
+
+  // Mark the desc as OK for mmapping.
+  NaClDescMarkSafeForMmap(desc_wrapper->desc());
+
+  // Provide metadata for validation.
+  struct NaClRichFileInfo info;
+  NaClRichFileInfoCtor(&info);
+  info.known_file = 1;
+  info.file_path = alloc_file_path;  // Takes ownership.
+  info.file_path_length =
+      static_cast<uint32_t>(file_path_str.length());
+  NaClSetFileOriginInfo(desc_wrapper->desc(), &info);
+  NaClRichFileInfoDtor(&info);
+
+  ppapi::proxy::SerializedHandle sh;
+  sh.set_file_handle(ipc_fd, PP_FILEOPENFLAG_READ, 0);
+  scoped_ptr<IPC::Message> new_msg = CreateOpenResourceReply(orig_msg, sh);
+  scoped_refptr<RewrittenMessage> rewritten_msg(new RewrittenMessage);
+
+  rewritten_msg->AddDescriptor(desc_wrapper.release());
+  {
+    base::AutoLock lock(lock_);
+    SaveMessage(*new_msg, rewritten_msg.get());
+    cond_var_.Signal();
+  }
+}
+
 void NaClIPCAdapter::OnChannelConnected(int32 peer_pid) {
 }
 
 void NaClIPCAdapter::OnChannelError() {
   CloseChannel();
 }
 
 NaClIPCAdapter::~NaClIPCAdapter() {
   // Make sure the channel is deleted on the IO thread.
   task_runner_->PostTask(FROM_HERE,
@@ skipping 114 matching lines @@
   header.flags = msg.flags();
   header.num_fds = static_cast<int>(rewritten_msg->desc_count());
 
   rewritten_msg->SetData(header, msg.payload(), msg.payload_size());
   locked_data_.to_be_received_.push(rewritten_msg);
 }
 
 int TranslatePepperFileReadWriteOpenFlagsForTesting(int32_t pp_open_flags) {
   return TranslatePepperFileReadWriteOpenFlags(pp_open_flags);
 }