Linux sandbox: Add WriteRemoteData() and ReadFilePathFromRemoteProcess()

These wrap the process_vm_writev() and process_vm_readv() syscalls which write to another process's memory (as long the caller has ptrace privileges for the target process). This is necessary for the USER_NOTIF broker to read syscall params and write to syscall outparams. Bug: 1117351 Change-Id: I5b85884eb7f7545598affe91f3e4ec4cb6a569b8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2407010Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Matthew Denton <mpdenton@chromium.org> Cr-Commit-Position: refs/heads/master@{#810865}

Linux sandbox: Add WriteRemoteData() and ReadFilePathFromRemoteProcess()
These wrap the process_vm_writev() and process_vm_readv() syscalls which write to another process's memory (as long the caller has ptrace privileges for the target process). This is necessary for the USER_NOTIF broker to read syscall params and write to syscall outparams. Bug: 1117351 Change-Id: I5b85884eb7f7545598affe91f3e4ec4cb6a569b8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2407010Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Matthew Denton <mpdenton@chromium.org> Cr-Commit-Position: refs/heads/master@{#810865}
682e7be7 · Matthew Denton · Commit Bot · 5d08add3 · 682e7be7 · 682e7be7
Commit 682e7be7 authored Sep 26, 2020 by Matthew Denton Committed by Commit Bot Sep 26, 2020
4 changed files
--- a/sandbox/linux/BUILD.gn
+++ b/sandbox/linux/BUILD.gn
@@ -103,6 +103,7 @@ source_set("sandbox_linux_unittests_sources") {
    "syscall_broker/broker_file_permission_unittest.cc",
    "syscall_broker/broker_process_unittest.cc",
    "syscall_broker/broker_simple_message_unittest.cc",
+    "syscall_broker/remote_syscall_arg_handler_unittest.cc",
    "tests/main.cc",
    "tests/scoped_temporary_file.cc",
    "tests/scoped_temporary_file.h",
@@ -358,6 +359,8 @@ component("sandbox_services") {
    "syscall_broker/broker_process.h",
    "syscall_broker/broker_simple_message.cc",
    "syscall_broker/broker_simple_message.h",
+    "syscall_broker/remote_syscall_arg_handler.cc",
+    "syscall_broker/remote_syscall_arg_handler.h",
    "syscall_broker/syscall_dispatcher.cc",
    "syscall_broker/syscall_dispatcher.h",
  ]
@@ -409,6 +412,8 @@ component("sandbox_services") {
      "syscall_broker/broker_process.h",
      "syscall_broker/broker_simple_message.cc",
      "syscall_broker/broker_simple_message.h",
+      "syscall_broker/remote_syscall_arg_handler.cc",
+      "syscall_broker/remote_syscall_arg_handler.h",
      "syscall_broker/syscall_dispatcher.cc",
      "syscall_broker/syscall_dispatcher.h",
    ]

--- a/sandbox/linux/syscall_broker/remote_syscall_arg_handler.cc
+++ b/sandbox/linux/syscall_broker/remote_syscall_arg_handler.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/syscall_broker/remote_syscall_arg_handler.h"
+
+#include <sys/ioctl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+#include "base/bits.h"
+#include "base/check_op.h"
+#include "base/containers/span.h"
+#include "base/logging.h"
+#include "base/process/process_metrics.h"
+#include "sandbox/linux/system_headers/linux_seccomp.h"
+#include "sandbox/linux/system_headers/linux_syscalls.h"
+
+namespace sandbox {
+namespace syscall_broker {
+
+RemoteProcessIOResult WriteRemoteData(pid_t pid,
+                                      uintptr_t remote_addr,
+                                      size_t remote_size,
+                                      base::span<char> data) {
+  CHECK_GE(remote_size, data.size());
+
+  base::span<char> remote_span(reinterpret_cast<char*>(remote_addr),
+                               remote_size);
+  struct iovec local_iov = {};
+  struct iovec remote_iov = {};
+
+  while (!data.empty()) {
+    local_iov.iov_base = data.data();
+    local_iov.iov_len = data.size();
+    remote_iov.iov_base = remote_span.data();
+    remote_iov.iov_len = data.size();
+
+    ssize_t bytes_written = syscall(__NR_process_vm_writev, pid, &local_iov,
+                                    1ul, &remote_iov, 1ul, 0ul);
+    if (bytes_written < 0) {
+      if (errno == EFAULT)
+        return RemoteProcessIOResult::kRemoteMemoryInvalid;
+      if (errno == ESRCH)
+        return RemoteProcessIOResult::kRemoteExited;
+      PLOG(ERROR)
+          << "process_vm_writev() failed with unknown error code! Write to pid "
+          << pid << " at remote address " << remote_iov.iov_base
+          << " of length " << data.size() << ". ";
+      return RemoteProcessIOResult::kUnknownError;
+    }
+
+    remote_span = remote_span.subspan(bytes_written);
+    data = data.subspan(bytes_written);
+  }
+
+  return RemoteProcessIOResult::kSuccess;
+}
+
+RemoteProcessIOResult ReadFilePathFromRemoteProcess(pid_t pid,
+                                                    const void* remote_addr,
+                                                    std::string* out_str) {
+  // Most pathnames will be small so avoid copying PATH_MAX bytes every time,
+  // by reading in chunks and checking if the the string ends within the
+  // chunk.
+  char buffer[PATH_MAX];
+  base::span<char> buffer_span(buffer);
+
+  struct iovec local_iov = {};
+  struct iovec remote_iov = {};
+
+  uintptr_t remote_ptr = reinterpret_cast<uintptr_t>(remote_addr);
+
+  for (;;) {
+    uintptr_t bytes_left_in_page = internal::NumBytesLeftInPage(remote_ptr);
+
+    // Read the minimum of the chunk size, remaining local buffer size, and
+    // the number of bytes left in the remote page.
+    size_t bytes_to_read = std::min(
+        {internal::kNumBytesPerChunk, buffer_span.size(), bytes_left_in_page});
+
+    // Set up the iovecs.
+    local_iov.iov_base = buffer_span.data();
+    local_iov.iov_len = bytes_to_read;
+
+    remote_iov.iov_base = reinterpret_cast<void*>(remote_ptr);
+    remote_iov.iov_len = bytes_to_read;
+
+    // The arguments below must include the ul suffix since they need to be
+    // 64-bit values, but syscall() takes varargs and doesn't know to promote
+    // them from 32-bit to 64-bit.
+    ssize_t bytes_read = syscall(__NR_process_vm_readv, pid, &local_iov, 1ul,
+                                 &remote_iov, 1ul, 0ul);
+    if (bytes_read < 0) {
+      if (errno == EFAULT)
+        return RemoteProcessIOResult::kRemoteMemoryInvalid;
+      if (errno == ESRCH)
+        return RemoteProcessIOResult::kRemoteExited;
+      PLOG(ERROR)
+          << "process_vm_readv() failed with unknown error code! Read from pid "
+          << pid << " at remote address " << remote_iov.iov_base
+          << " of length " << bytes_to_read << ". ";
+      return RemoteProcessIOResult::kUnknownError;
+    }
+
+    // We successfully performed a read.
+    remote_ptr += bytes_read;
+    buffer_span = buffer_span.subspan(bytes_read);
+
+    // Check for null byte.
+    char* null_byte_ptr =
+        static_cast<char*>(memchr(local_iov.iov_base, '\0', bytes_read));
+    if (null_byte_ptr) {
+      *out_str = std::string(buffer, null_byte_ptr);
+      return RemoteProcessIOResult::kSuccess;
+    }
+
+    if (buffer_span.empty()) {
+      // If we haven't found a null byte yet and our available buffer space is
+      // empty, stop.
+      LOG(ERROR) << "Read PATH_MAX bytes in sandboxed process and did not find "
+                    "expected null byte.";
+      return RemoteProcessIOResult::kExceededPathMax;
+    }
+  }
+}
+
+namespace internal {
+uintptr_t NumBytesLeftInPage(uintptr_t addr) {
+  const uintptr_t page_end = base::bits::Align(addr + 1, base::GetPageSize());
+  return page_end - addr;
+}
+}  // namespace internal
+}  // namespace syscall_broker
+}  // namespace sandbox
--- a/sandbox/linux/syscall_broker/remote_syscall_arg_handler.h
+++ b/sandbox/linux/syscall_broker/remote_syscall_arg_handler.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SYSCALL_BROKER_REMOTE_SYSCALL_ARG_HANDLER_H_
+#define SANDBOX_LINUX_SYSCALL_BROKER_REMOTE_SYSCALL_ARG_HANDLER_H_
+
+#include <unistd.h>
+
+#include "base/containers/span.h"
+#include "sandbox/sandbox_export.h"
+
+namespace sandbox {
+namespace syscall_broker {
+
+enum class RemoteProcessIOResult {
+  kSuccess,
+  kRemoteExited,
+  kExceededPathMax,
+  kRemoteMemoryInvalid,
+  kUnknownError
+};
+
+// Writes |data| at |remote_addr| in |pid|'s address space. Returns the
+// appropriate result.
+SANDBOX_EXPORT RemoteProcessIOResult WriteRemoteData(pid_t pid,
+                                                     uintptr_t remote_addr,
+                                                     size_t remote_size,
+                                                     base::span<char> data);
+
+// Reads a filepath from |remote_addr| (which points into process |pid|'s memory
+// space) into |*out_str|. Returns the appropriate result.
+// Safety checks should occur before usage of any system call arguments read
+// from a remote address space, so callers should use RemoteSyscallFilepathArgs
+// instead of calling this directly.
+SANDBOX_EXPORT RemoteProcessIOResult
+ReadFilePathFromRemoteProcess(pid_t pid,
+                              const void* remote_addr,
+                              std::string* out_str);
+
+namespace internal {
+// The number of bytes we read from a remote process at a time when reading a
+// remote filepath, to avoid reading PATH_MAX bytes every time.
+const size_t kNumBytesPerChunk = 256;
+
+// Calculates the number of bytes left in a page for a particular address.
+uintptr_t NumBytesLeftInPage(uintptr_t addr);
+}  // namespace internal
+}  // namespace syscall_broker
+}  // namespace sandbox
+
+#endif  // SANDBOX_LINUX_SYSCALL_BROKER_REMOTE_SYSCALL_ARG_HANDLER_H_
--- a/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc
+++ b/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc