| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/C/Firefox/third_party/rlbox/include/ (Browser von der Mozilla Stiftung Version 136.0.1©) Datei vom 10.2.2025 mit Größe 12 kB |
|
Quelle rlbox_stdlib.hpp Sprache: C |
|||||||||||||||
|
#pragma once // IWYU pragma: private, include "rlbox.hpp" // IWYU pragma: friend "rlbox_.*\.hpp" #include <cstring> #include <type_traits> #include "rlbox_helpers.hpp" #include "rlbox_types.hpp" #include "rlbox_unwrap.hpp" #include "rlbox_wrapper_traits.hpp" namespace rlbox { #define KEEP_CAST_FRIENDLY \ template<typename T_C_Lhs, \ typename T_C_Rhs, \ typename T_C_Sbx, \ template<typename, typename> \ typename T_C_Wrap> \ friend inline tainted<T_C_Lhs, T_C_Sbx> sandbox_reinterpret_cast( \ const T_C_Wrap<T_C_Rhs, T_C_Sbx>& rhs) noexcept; \ \ template<typename T_C_Lhs, \ typename T_C_Rhs, \ typename T_C_Sbx, \ template<typename, typename> \ typename T_C_Wrap> \ friend inline tainted<T_C_Lhs, T_C_Sbx> sandbox_const_cast( \ const T_C_Wrap<T_C_Rhs, T_C_Sbx>& rhs) noexcept; \ \ template<typename T_C_Lhs, \ typename T_C_Rhs, \ typename T_C_Sbx, \ template<typename, typename> \ typename T_C_Wrap> \ friend inline tainted<T_C_Lhs, T_C_Sbx> sandbox_static_cast( \ const T_C_Wrap<T_C_Rhs, T_C_Sbx>& rhs) noexcept; /** * @brief The equivalent of a reinterpret_cast but operates on sandboxed values. */ template<typename T_Lhs, typename T_Rhs, typename T_Sbx, template<typename, typename> typename T_Wrap> inline tainted<T_Lhs, T_Sbx> sandbox_reinterpret_cast( const T_Wrap<T_Rhs, T_Sbx>& rhs) noexcept { static_assert(detail::rlbox_is_wrapper_v<T_Wrap<T_Rhs, T_Sbx>> && std::is_pointer_v<T_Lhs> && std::is_pointer_v<T_Rhs>, "sandbox_reinterpret_cast on incompatible types"); tainted<T_Rhs, T_Sbx> taintedVal = rhs; auto raw = reinterpret_cast<T_Lhs>(taintedVal.INTERNAL_unverified_safe()); auto ret = tainted<T_Lhs, T_Sbx>::internal_factory(raw); return ret; } /** * @brief The equivalent of a const_cast but operates on sandboxed values. */ template<typename T_Lhs, typename T_Rhs, typename T_Sbx, template<typename, typename> typename T_Wrap> inline tainted<T_Lhs, T_Sbx> sandbox_const_cast( const T_Wrap<T_Rhs, T_Sbx>& rhs) noexcept { static_assert(detail::rlbox_is_wrapper_v<T_Wrap<T_Rhs, T_Sbx>>, "sandbox_const_cast on incompatible types"); tainted<T_Rhs, T_Sbx> taintedVal = rhs; auto raw = const_cast<T_Lhs>(taintedVal.INTERNAL_unverified_safe()); auto ret = tainted<T_Lhs, T_Sbx>::internal_factory(raw); return ret; } /** * @brief The equivalent of a static_cast but operates on sandboxed values. */ template<typename T_Lhs, typename T_Rhs, typename T_Sbx, template<typename, typename> typename T_Wrap> inline tainted<T_Lhs, T_Sbx> sandbox_static_cast( const T_Wrap<T_Rhs, T_Sbx>& rhs) noexcept { static_assert(detail::rlbox_is_wrapper_v<T_Wrap<T_Rhs, T_Sbx>>, "sandbox_static_cast on incompatible types"); tainted<T_Rhs, T_Sbx> taintedVal = rhs; auto raw = static_cast<T_Lhs>(taintedVal.INTERNAL_unverified_safe()); auto ret = tainted<T_Lhs, T_Sbx>::internal_factory(raw); return ret; } /** * @brief Fill sandbox memory with a constant byte. */ template<typename T_Sbx, typename T_Rhs, typename T_Val, typename T_Num, template<typename, typename> typename T_Wrap> inline T_Wrap<T_Rhs*, T_Sbx> memset(rlbox_sandbox<T_Sbx>& sandbox, T_Wrap<T_Rhs*, T_Sbx> ptr, T_Val value, T_Num num) { static_assert(detail::rlbox_is_tainted_or_vol_v<T_Wrap<T_Rhs, T_Sbx>>, "memset called on non wrapped type"); static_assert(!std::is_const_v<T_Rhs>, "Destination is const"); auto num_val = detail::unwrap_value(num); detail::dynamic_check(num_val <= sandbox.get_total_memory(), "Called memset for memory larger than the sandbox"); tainted<T_Rhs*, T_Sbx> ptr_tainted = ptr; void* dest_start = ptr_tainted.INTERNAL_unverified_safe(); detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(dest_start, num_val); std::memset(dest_start, detail::unwrap_value(value), num_val); return ptr; } /** * @brief types that do not need to be adjusted to fix ABI differences. * Currently these are only char, wchar, float, and double */ template<typename T> static constexpr bool can_type_be_memcopied = std::is_same_v<char, std::remove_cv_t<T>> || std::is_same_v<wchar_t, std::remove_cv_t<T>> || std::is_same_v<float, std::remove_cv_t<T>> || std::is_same_v<double, std::remove_cv_t<T>> || std::is_same_v<char16_t, std::remove_cv_t<T>> || std::is_same_v<short, std::remove_cv_t<T>>; /** * @brief Copy to sandbox memory area. Note that memcpy is meant to be called on * byte arrays does not adjust data according to ABI differences. If the * programmer does accidentally call memcpy on buffers that needs ABI * adjustment, this may cause compatibility issues, but will not cause a * security issue as the destination is always a tainted or tainted_volatile * pointer */ template<typename T_Sbx, typename T_Rhs, typename T_Lhs, typename T_Num, template<typename, typename> typename T_Wrap> inline T_Wrap<T_Rhs*, T_Sbx> memcpy(rlbox_sandbox<T_Sbx>& sandbox, T_Wrap<T_Rhs*, T_Sbx> dest, T_Lhs src, T_Num num) { static_assert(detail::rlbox_is_tainted_or_vol_v<T_Wrap<T_Rhs, T_Sbx>>, "memcpy called on non wrapped type"); static_assert(!std::is_const_v<T_Rhs>, "Destination is const"); auto num_val = detail::unwrap_value(num); detail::dynamic_check(num_val <= sandbox.get_total_memory(), "Called memcpy for memory larger than the sandbox"); tainted<T_Rhs*, T_Sbx> dest_tainted = dest; void* dest_start = dest_tainted.INTERNAL_unverified_safe(); detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(dest_start, num_val); // src also needs to be checked, as we don't want to allow a src rand to start // inside the sandbox and end outside, and vice versa // src may or may not be a wrapper, so use unwrap_value const void* src_start = detail::unwrap_value(src); detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(src_start, num_val); std::memcpy(dest_start, src_start, num_val); return dest; } /** * @brief Compare data in sandbox memory area. */ template<typename T_Sbx, typename T_Rhs, typename T_Lhs, typename T_Num> inline tainted_int_hint memcmp(rlbox_sandbox<T_Sbx>& sandbox, T_Rhs&& dest, T_Lhs&& src, T_Num&& num) { static_assert( detail::rlbox_is_tainted_or_vol_v<detail::remove_cv_ref_t<T_Rhs>> || detail::rlbox_is_tainted_or_vol_v<detail::remove_cv_ref_t<T_Lhs>>, "memcmp called on non wrapped type"); auto num_val = detail::unwrap_value(num); detail::dynamic_check(num_val <= sandbox.get_total_memory(), "Called memcmp for memory larger than the sandbox"); void* dest_start = dest.INTERNAL_unverified_safe(); detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(dest_start, num_val); // src also needs to be checked, as we don't want to allow a src rand to start // inside the sandbox and end outside, and vice versa // src may or may not be a wrapper, so use unwrap_value const void* src_start = detail::unwrap_value(src); detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(src_start, num_val); int ret = std::memcmp(dest_start, src_start, num_val); tainted_int_hint converted_ret(ret); return converted_ret; } /** * @brief This function either * - copies the given buffer into the sandbox calling delete on the src * OR * - if the sandbox allows, adds the buffer to the existing sandbox memory * @param sandbox Target sandbox * @param src Raw pointer to the buffer * @param num Number of T-sized elements in the buffer * @param free_source_on_copy If the source buffer was copied, this variable * controls whether copy_memory_or_grant_access should call delete on the src. * This calls delete[] if num > 1. * @param copied out parameter indicating if the source was copied or transfered */ template<typename T_Sbx, typename T> tainted<T*, T_Sbx> copy_memory_or_grant_access(rlbox_sandbox<T_Sbx>& sandbox, T* src, size_t num, bool free_source_on_copy, bool& copied) { copied = false; // This function is meant for byte buffers only static_assert(can_type_be_memcopied<std::remove_pointer_t<T>>, "copy_memory_or_grant_access not supported on this type as " "there may be ABI differences"); // overflow ok size_t source_size = num * sizeof(T); // sandbox can grant access if it includes the following line // using can_grant_deny_access = void; if constexpr (detail::has_member_using_can_grant_deny_access_v<T_Sbx>) { detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(src, source_size); bool success; auto ret = sandbox.INTERNAL_grant_access(src, num, success); if (success) { return ret; } } // Malloc in sandbox takes a uint32_t as the parameter, need a bounds check detail::dynamic_check(num <= std::numeric_limits<uint32_t>::max(), "Granting access too large a region"); using T_nocv = std::remove_cv_t<T>; tainted<T_nocv*, T_Sbx> copy = sandbox.template malloc_in_sandbox<T_nocv>(static_cast<uint32_t>(num)); if (!copy) { return nullptr; } rlbox::memcpy(sandbox, copy, src, source_size); if (free_source_on_copy) { free(const_cast<void*>(reinterpret_cast<const void*>(src))); } copied = true; return sandbox_const_cast<T*>(copy); } /** * @brief This function either * - copies the given buffer out of the sandbox calling free_in_sandbox on the * src * OR * - if the sandbox allows, moves the buffer out of existing sandbox memory * @param sandbox Target sandbox * @param src Raw pointer to the buffer * @param num Number of T-sized elements in the buffer * @param free_source_on_copy If the source buffer was copied, this variable * controls whether copy_memory_or_deny_access should call delete on the src. * This calls delete[] if num > 1. * @param copied out parameter indicating if the source was copied or transfered */ template<typename T_Sbx, typename T, template<typename, typename> typename T_Wrap> T* copy_memory_or_deny_access(rlbox_sandbox<T_Sbx>& sandbox, T_Wrap<T*, T_Sbx> src, size_t num, bool free_source_on_copy, bool& copied) { copied = false; // This function is meant for byte buffers only - so char and char16 static_assert(can_type_be_memcopied<std::remove_pointer_t<T>>, "copy_memory_or_deny_access not supported on this type as " "there may be ABI differences"); // overflow ok size_t source_size = num * sizeof(T); // sandbox can grant access if it includes the following line // using can_grant_deny_access = void; if constexpr (detail::has_member_using_can_grant_deny_access_v<T_Sbx>) { detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>( src.INTERNAL_unverified_safe(), source_size); bool success; auto ret = sandbox.INTERNAL_deny_access(src, num, success); if (success) { return ret; } } auto copy = static_cast<T*>(malloc(source_size)); if (!copy) { return nullptr; } tainted<T*, T_Sbx> src_tainted = src; char* src_raw = src_tainted.copy_and_verify_buffer_address( [](uintptr_t val) { return reinterpret_cast<char*>(val); }, num); std::memcpy(copy, src_raw, source_size); if (free_source_on_copy) { sandbox.free_in_sandbox(src); } copied = true; return copy; } }
¤ Dauer der Verarbeitung: 0.4 Sekunden ¤*© Formatika GbR, Deutschland |
|
||||||||||||||
2026-04-02