1
    2
    3
    4
    5
    6
    7
    8
    9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32
   33
   34
   35
   36
   37
   38
   39
   40
   41
   42
   43
   44
   45
   46
   47
   48
   49
   50
   51
   52
   53
   54
   55
   56
   57
   58
   59
   60
   61
   62
   63
   64
   65
   66
   67
   68
   69
   70
   71
   72
   73
   74
   75
   76
   77
   78
   79
   80
   81
   82
   83
   84
   85
   86
   87
   88
   89
   90
   91
   92
   93
   94
   95
   96
   97
   98
   99
  100
  101
  102
  103
  104
  105
  106
  107
  108
  109
  110
  111
  112
  113
  114
  115
  116
  117
  118
  119
  120


mojo / core / platform_handle_in_transit.h [blame]

// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef MOJO_CORE_PLATFORM_HANDLE_IN_TRANSIT_H_
#define MOJO_CORE_PLATFORM_HANDLE_IN_TRANSIT_H_

#include "base/process/process.h"
#include "build/build_config.h"
#include "mojo/public/cpp/platform/platform_handle.h"

#if BUILDFLAG(IS_WIN)
#include <windows.h>
#endif

namespace mojo {
namespace core {

// Owns a PlatformHandle which may actually belong to another process. On
// Windows and (sometimes) Mac, handles in a message object may take on values
// which only have meaning in the context of a remote process.
//
// This class provides a safe way of scoping the lifetime of such handles so
// that they don't leak when transmission can't be completed.
class PlatformHandleInTransit {
 public:
  PlatformHandleInTransit();
  explicit PlatformHandleInTransit(PlatformHandle handle);
  PlatformHandleInTransit(PlatformHandleInTransit&&);

  PlatformHandleInTransit(const PlatformHandleInTransit&) = delete;
  PlatformHandleInTransit& operator=(const PlatformHandleInTransit&) = delete;

  ~PlatformHandleInTransit();

  PlatformHandleInTransit& operator=(PlatformHandleInTransit&&);

  // Accessor for the owned handle. Must be owned by the calling process.
  const PlatformHandle& handle() const {
    DCHECK(!owning_process_.IsValid());
    return handle_;
  }

  // Returns the process which owns this handle. If this is invalid, the handle
  // is owned by the current process.
  const base::Process& owning_process() const { return owning_process_; }

  // Takes ownership of the held handle as-is. The handle must belong to the
  // current process.
  PlatformHandle TakeHandle();

  // Discards the handle owned by this object. The implication is that its
  // value has been successfully communicated to the owning process and the
  // calling process is no longer responsible for managing the handle's
  // lifetime.
  void CompleteTransit();

  // Designates the relative trust level of the destination process compared to
  // the source process, in the context of a handle transfer operation. This
  // may be expanded to more granular degrees of trust in the future.
  enum TransferTargetTrustLevel {
    // No special constraints on what can be transferred or how.
    kTrustedTarget,

    // On some platforms, transfers with this destination type may be restricted
    // to block certain types of handles.
    kUntrustedTarget,
  };

  // Transfers ownership of this (local) handle to |target_process|.
  bool TransferToProcess(base::Process target_process,
                         TransferTargetTrustLevel trust = kTrustedTarget);

#if BUILDFLAG(IS_WIN)
  HANDLE remote_handle() const { return remote_handle_; }

  // Indicates whether |handle| is a known pseudo handle value. In a fuzzing
  // environment we merely simulate IPC, so we end up accepting "remote" handle
  // values from our own process. This means that unlike in production
  // scenarios, we may end up successfully calling DuplicateHandle on a fuzzed
  // pseudo handle value (in production if a remote process sent us a pseudo
  // handle value, DuplicateHandle would always fail).
  //
  // For some reason, a small number of special pseudo handle values always
  // duplicate to the same real handle value when DUPLICATE_CLOSE_SOURCE is
  // specified, presumably because the returned handle is closed before it's
  // even returned. For example, duplicating -10 with DUPLICATE_CLOSE_SOURCE
  // always yields the handle value 0x50. This ends up interacting poorly with
  // the rest of Mojo's handle deserialization code and eventually crashes
  // in ScopedHandleVerifier.
  //
  // We avoid the issue by explicitly discarding any known pseudo handle values,
  // since they are always invalid when received from a remote process anyway
  // and thus always signal a misbehaving client.
  static bool IsPseudoHandle(HANDLE handle);

  // Returns a new local handle, with ownership of |handle| being transferred
  // from |owning_process| to the caller.
  static PlatformHandle TakeIncomingRemoteHandle(
      HANDLE handle,
      base::ProcessHandle owning_process);
#endif

 private:
#if BUILDFLAG(IS_WIN)
  // We don't use a ScopedHandle (or, by extension, PlatformHandle) here because
  // the handle verifier expects all handle values to be owned by this process.
  // On Windows we use |handle_| for locally owned handles and |remote_handle_|
  // otherwise. On all other platforms we use |handle_| regardless of ownership.
  HANDLE remote_handle_ = INVALID_HANDLE_VALUE;
#endif

  PlatformHandle handle_;
  base::Process owning_process_;
};

}  // namespace core
}  // namespace mojo

#endif  // MOJO_CORE_PLATFORM_HANDLE_IN_TRANSIT_H_