mojo/nacl/mojo_syscall_internal.h - chromium/src - Git at Google

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef MOJO_NACL_MOJO_SYSCALL_INTERNAL_H_
 #define MOJO_NACL_MOJO_SYSCALL_INTERNAL_H_

 #include "native_client/src/trusted/service_runtime/nacl_copy.h"
 #include "native_client/src/trusted/service_runtime/sel_ldr.h"

 namespace {

 class ScopedCopyLock {
  public:
   explicit ScopedCopyLock(struct NaClApp* nap) : nap_(nap) {
     NaClCopyTakeLock(nap_);
   }
   ~ScopedCopyLock() {
     NaClCopyDropLock(nap_);
   }
  private:
   struct NaClApp* nap_;
 };

 static inline uintptr_t NaClUserToSysAddrArray(
     struct NaClApp* nap,
     uint32_t uaddr,
     size_t count,
     size_t size) {
   // TODO(ncbray): overflow checking
   size_t range = count * size;
   return NaClUserToSysAddrRange(nap, uaddr, range);
 }

 // We don't use plain-old memcpy because reads and writes to the untrusted
 // address space from trusted code must be volatile.  Non-volatile memory
 // operations are dangerous because a compiler would be free to materialize a
 // second load from the same memory address or materialize a load from a memory
 // address that was stored, and assume the materialized load would return the
 // same value as the previous load or store.  Data races could cause the
 // materialized load to return a different value, however, which could lead to
 // time of check vs. time of use problems, or worse.  For this binding code in
 // particular, where memcpy is being called with a constant size, it is entirely
 // conceivable the function will be inlined, unrolled, and optimized.
 static inline void memcpy_volatile_out(
     void volatile* dst,
     const void* src,
     size_t n) {
   char volatile* c_dst = static_cast<char volatile*>(dst);
   const char* c_src = static_cast<const char*>(src);
   for (size_t i = 0; i < n; i++) {
     c_dst[i] = c_src[i];
   }
 }

 template <typename T> bool ConvertScalarInput(
     struct NaClApp* nap,
     uint32_t user_ptr,
     T* value) {
   if (user_ptr) {
     uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, sizeof(T));
     if (temp != kNaClBadAddress) {
       *value = *reinterpret_cast<T volatile*>(temp);
       return true;
     }
   }
   return false;
 }

 template <typename T> bool ConvertScalarOutput(
     struct NaClApp* nap,
     uint32_t user_ptr,
     bool optional,
     T volatile** sys_ptr) {
   if (user_ptr) {
     uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, sizeof(T));
     if (temp != kNaClBadAddress) {
       *sys_ptr = reinterpret_cast<T volatile*>(temp);
       return true;
     }
   } else if (optional) {
     *sys_ptr = 0;
     return true;
   }
   *sys_ptr = 0; // Paranoia.
   return false;
 }

 template <typename T> bool ConvertScalarInOut(
     struct NaClApp* nap,
     uint32_t user_ptr,
     bool optional,
     T* value,
     T volatile** sys_ptr) {
   if (user_ptr) {
     uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, sizeof(T));
     if (temp != kNaClBadAddress) {
       T volatile* converted = reinterpret_cast<T volatile*>(temp);
       *sys_ptr = converted;
       *value = *converted;
       return true;
     }
   } else if (optional) {
     *sys_ptr = 0;
     *value = static_cast<T>(0); // Paranoia.
     return true;
   }
   *sys_ptr = 0; // Paranoia.
   *value = static_cast<T>(0); // Paranoia.
   return false;
 }

 template <typename T> bool ConvertArray(
     struct NaClApp* nap,
     uint32_t user_ptr,
     uint32_t length,
     size_t element_size,
     bool optional,
     T** sys_ptr) {
   if (user_ptr) {
     uintptr_t temp = NaClUserToSysAddrArray(nap, user_ptr, length,
                                             element_size);
     if (temp != kNaClBadAddress) {
       *sys_ptr = reinterpret_cast<T*>(temp);
       return true;
     }
   } else if (optional) {
     *sys_ptr = 0;
     return true;
   }
   return false;
 }

 template <typename T> bool ConvertBytes(
     struct NaClApp* nap,
     uint32_t user_ptr,
     uint32_t length,
     bool optional,
     T** sys_ptr) {
   if (user_ptr) {
     uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, length);
     if (temp != kNaClBadAddress) {
       *sys_ptr = reinterpret_cast<T*>(temp);
       return true;
     }
   } else if (optional) {
     *sys_ptr = 0;
     return true;
   }
   return false;
 }

 // TODO(ncbray): size validation and complete copy.
 // TODO(ncbray): ensure non-null / missized structs are covered by a test case.
 template <typename T> bool ConvertExtensibleStructInput(
     struct NaClApp* nap,
     uint32_t user_ptr,
     bool optional,
     T** sys_ptr) {
   if (user_ptr) {
     uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, sizeof(T));
     if (temp != kNaClBadAddress) {
       *sys_ptr = reinterpret_cast<T*>(temp);
       return true;
     }
   } else if (optional) {
     *sys_ptr = 0;
     return true;
   }
   return false;
 }

 } // namespace

 #endif // MOJO_NACL_MOJO_SYSCALL_INTERNAL_H_
	// Copyright 2014 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef MOJO_NACL_MOJO_SYSCALL_INTERNAL_H_
	#define MOJO_NACL_MOJO_SYSCALL_INTERNAL_H_

	#include "native_client/src/trusted/service_runtime/nacl_copy.h"
	#include "native_client/src/trusted/service_runtime/sel_ldr.h"

	namespace {

	class ScopedCopyLock {
	public:
	explicit ScopedCopyLock(struct NaClApp* nap) : nap_(nap) {
	NaClCopyTakeLock(nap_);
	}
	~ScopedCopyLock() {
	NaClCopyDropLock(nap_);
	}
	private:
	struct NaClApp* nap_;
	};

	static inline uintptr_t NaClUserToSysAddrArray(
	struct NaClApp* nap,
	uint32_t uaddr,
	size_t count,
	size_t size) {
	// TODO(ncbray): overflow checking
	size_t range = count * size;
	return NaClUserToSysAddrRange(nap, uaddr, range);
	}

	// We don't use plain-old memcpy because reads and writes to the untrusted
	// address space from trusted code must be volatile. Non-volatile memory
	// operations are dangerous because a compiler would be free to materialize a
	// second load from the same memory address or materialize a load from a memory
	// address that was stored, and assume the materialized load would return the
	// same value as the previous load or store. Data races could cause the
	// materialized load to return a different value, however, which could lead to
	// time of check vs. time of use problems, or worse. For this binding code in
	// particular, where memcpy is being called with a constant size, it is entirely
	// conceivable the function will be inlined, unrolled, and optimized.
	static inline void memcpy_volatile_out(
	void volatile* dst,
	const void* src,
	size_t n) {
	char volatile* c_dst = static_cast<char volatile*>(dst);
	const char* c_src = static_cast<const char*>(src);
	for (size_t i = 0; i < n; i++) {
	c_dst[i] = c_src[i];
	}
	}

	template <typename T> bool ConvertScalarInput(
	struct NaClApp* nap,
	uint32_t user_ptr,
	T* value) {
	if (user_ptr) {
	uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, sizeof(T));
	if (temp != kNaClBadAddress) {
	value = reinterpret_cast<T volatile*>(temp);
	return true;
	}
	}
	return false;
	}

	template <typename T> bool ConvertScalarOutput(
	struct NaClApp* nap,
	uint32_t user_ptr,
	bool optional,
	T volatile** sys_ptr) {
	if (user_ptr) {
	uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, sizeof(T));
	if (temp != kNaClBadAddress) {
	sys_ptr = reinterpret_cast<T volatile>(temp);
	return true;
	}
	} else if (optional) {
	*sys_ptr = 0;
	return true;
	}
	*sys_ptr = 0; // Paranoia.
	return false;
	}

	template <typename T> bool ConvertScalarInOut(
	struct NaClApp* nap,
	uint32_t user_ptr,
	bool optional,
	T* value,
	T volatile** sys_ptr) {
	if (user_ptr) {
	uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, sizeof(T));
	if (temp != kNaClBadAddress) {
	T volatile* converted = reinterpret_cast<T volatile*>(temp);
	*sys_ptr = converted;
	value = converted;
	return true;
	}
	} else if (optional) {
	*sys_ptr = 0;
	*value = static_cast<T>(0); // Paranoia.
	return true;
	}
	*sys_ptr = 0; // Paranoia.
	*value = static_cast<T>(0); // Paranoia.
	return false;
	}

	template <typename T> bool ConvertArray(
	struct NaClApp* nap,
	uint32_t user_ptr,
	uint32_t length,
	size_t element_size,
	bool optional,
	T** sys_ptr) {
	if (user_ptr) {
	uintptr_t temp = NaClUserToSysAddrArray(nap, user_ptr, length,
	element_size);
	if (temp != kNaClBadAddress) {
	sys_ptr = reinterpret_cast<T>(temp);
	return true;
	}
	} else if (optional) {
	*sys_ptr = 0;
	return true;
	}
	return false;
	}

	template <typename T> bool ConvertBytes(
	struct NaClApp* nap,
	uint32_t user_ptr,
	uint32_t length,
	bool optional,
	T** sys_ptr) {
	if (user_ptr) {
	uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, length);
	if (temp != kNaClBadAddress) {
	sys_ptr = reinterpret_cast<T>(temp);
	return true;
	}
	} else if (optional) {
	*sys_ptr = 0;
	return true;
	}
	return false;
	}

	// TODO(ncbray): size validation and complete copy.
	// TODO(ncbray): ensure non-null / missized structs are covered by a test case.
	template <typename T> bool ConvertExtensibleStructInput(
	struct NaClApp* nap,
	uint32_t user_ptr,
	bool optional,
	T** sys_ptr) {
	if (user_ptr) {
	uintptr_t temp = NaClUserToSysAddrRange(nap, user_ptr, sizeof(T));
	if (temp != kNaClBadAddress) {
	sys_ptr = reinterpret_cast<T>(temp);
	return true;
	}
	} else if (optional) {
	*sys_ptr = 0;
	return true;
	}
	return false;
	}

	} // namespace

	#endif // MOJO_NACL_MOJO_SYSCALL_INTERNAL_H_