blob: 1f0a72f6be42816908c7d6a957cfa5ef1c1fe911 [file] [log] [blame]
// Copyright 2020 The Fuchsia Authors
//
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file or at
// https://opensource.org/licenses/MIT
#include "object/handle_table.h"
#include <lib/crypto/global_prng.h>
#include <object/job_dispatcher.h>
constexpr uint32_t kHandleMustBeOneMask = ((0x1u << kHandleReservedBits) - 1);
static_assert(kHandleMustBeOneMask == ZX_HANDLE_FIXED_BITS_MASK,
"kHandleMustBeOneMask must match ZX_HANDLE_FIXED_BITS_MASK!");
static zx_handle_t map_handle_to_value(const Handle* handle, uint32_t mixer) {
// Ensure that the last two bits of the result is not zero, and make sure we
// don't lose any base_value bits when shifting.
constexpr uint32_t kBaseValueMustBeZeroMask =
(kHandleMustBeOneMask << ((sizeof(handle->base_value()) * 8) - kHandleReservedBits));
DEBUG_ASSERT((mixer & kHandleMustBeOneMask) == 0);
DEBUG_ASSERT((handle->base_value() & kBaseValueMustBeZeroMask) == 0);
auto handle_id = (handle->base_value() << kHandleReservedBits) | kHandleMustBeOneMask;
return static_cast<zx_handle_t>(mixer ^ handle_id);
}
static Handle* map_value_to_handle(zx_handle_t value, uint32_t mixer) {
// Validate that the "must be one" bits are actually one.
if ((value & kHandleMustBeOneMask) != kHandleMustBeOneMask) {
return nullptr;
}
uint32_t handle_id = (static_cast<uint32_t>(value) ^ mixer) >> kHandleReservedBits;
return Handle::FromU32(handle_id);
}
HandleTable::HandleTable() : koid_(KernelObjectId::Generate()) {
// Generate handle XOR mask with top bit and bottom two bits cleared
uint32_t secret;
auto prng = crypto::global_prng::GetInstance();
prng->Draw(&secret, sizeof(secret));
// Handle values must always have the low kHandleReservedBits set. Do not
// ever attempt to toggle these bits using the random_value_ xor mask.
random_value_ = secret << kHandleReservedBits;
}
HandleTable::~HandleTable() {
DEBUG_ASSERT(handles_.is_empty());
DEBUG_ASSERT(count_ == 0);
DEBUG_ASSERT(cursors_.is_empty());
}
void HandleTable::Clean() {
HandleList to_clean;
{
Guard<BrwLockPi, BrwLockPi::Writer> guard{&lock_};
for (auto& cursor : cursors_) {
cursor.Invalidate();
}
for (auto& handle : handles_) {
handle.set_handle_table_id(ZX_KOID_INVALID);
}
count_ = 0;
to_clean.swap(handles_);
}
// This needs to be done outside of the critical section above.
while (!to_clean.is_empty()) {
// Delete handle via HandleOwner dtor.
HandleOwner ho(to_clean.pop_front());
}
}
zx_handle_t HandleTable::MapHandleToValue(const Handle* handle) const {
return map_handle_to_value(handle, random_value_);
}
zx_handle_t HandleTable::MapHandleToValue(const HandleOwner& handle) const {
return map_handle_to_value(handle.get(), random_value_);
}
Handle* HandleTable::GetHandleLocked(ProcessDispatcher* caller, zx_handle_t handle_value) {
auto handle = map_value_to_handle(handle_value, random_value_);
if (handle && handle->handle_table_id() == koid_) {
return handle;
}
if (likely(caller)) {
// Handle lookup failed. We potentially generate an exception or kill the process,
// depending on the job policy. Note that we don't use the return value from
// EnforceBasicPolicy() here: ZX_POL_ACTION_ALLOW and ZX_POL_ACTION_DENY are equivalent for
// ZX_POL_BAD_HANDLE.
__UNUSED auto result = caller->EnforceBasicPolicy(ZX_POL_BAD_HANDLE);
}
return nullptr;
}
uint32_t HandleTable::HandleCount() const {
Guard<BrwLockPi, BrwLockPi::Reader> guard{&lock_};
return count_;
}
void HandleTable::AddHandle(HandleOwner handle) {
Guard<BrwLockPi, BrwLockPi::Writer> guard{&lock_};
AddHandleLocked(ktl::move(handle));
}
void HandleTable::AddHandleLocked(HandleOwner handle) {
handle->set_handle_table_id(koid_);
handles_.push_front(handle.release());
count_++;
}
HandleOwner HandleTable::RemoveHandleLocked(Handle* handle) {
DEBUG_ASSERT(count_ > 0);
handle->set_handle_table_id(ZX_KOID_INVALID);
// Make sure we don't leave any dangling cursors.
for (auto& cursor : cursors_) {
// If it points to |handle|, skip over it.
cursor.AdvanceIf(handle);
}
handles_.erase(*handle);
count_--;
return HandleOwner(handle);
}
HandleOwner HandleTable::RemoveHandle(ProcessDispatcher& caller, zx_handle_t handle_value) {
Guard<BrwLockPi, BrwLockPi::Writer> guard{&lock_};
return RemoveHandleLocked(caller, handle_value);
}
HandleOwner HandleTable::RemoveHandleLocked(ProcessDispatcher& caller, zx_handle_t handle_value) {
auto handle = GetHandleLocked(caller, handle_value);
if (!handle)
return nullptr;
return RemoveHandleLocked(handle);
}
zx_status_t HandleTable::RemoveHandles(ProcessDispatcher& caller,
ktl::span<const zx_handle_t> handles) {
zx_status_t status = ZX_OK;
Guard<BrwLockPi, BrwLockPi::Writer> guard{get_lock()};
for (zx_handle_t handle_value : handles) {
if (handle_value == ZX_HANDLE_INVALID)
continue;
auto handle = RemoveHandleLocked(caller, handle_value);
if (!handle)
status = ZX_ERR_BAD_HANDLE;
}
return status;
}
zx_koid_t HandleTable::GetKoidForHandle(ProcessDispatcher& caller, zx_handle_t handle_value) {
Guard<BrwLockPi, BrwLockPi::Reader> guard{&lock_};
Handle* handle = GetHandleLocked(caller, handle_value);
if (!handle)
return ZX_KOID_INVALID;
return handle->dispatcher()->get_koid();
}
zx_status_t HandleTable::GetDispatcherInternal(ProcessDispatcher& caller, zx_handle_t handle_value,
fbl::RefPtr<Dispatcher>* dispatcher,
zx_rights_t* rights) {
Guard<BrwLockPi, BrwLockPi::Reader> guard{&lock_};
Handle* handle = GetHandleLocked(caller, handle_value);
if (!handle)
return ZX_ERR_BAD_HANDLE;
*dispatcher = handle->dispatcher();
if (rights)
*rights = handle->rights();
return ZX_OK;
}
zx_status_t HandleTable::GetHandleInfo(fbl::Array<zx_info_handle_extended_t>* handles) const {
for (;;) {
size_t count = HandleCount();
// TODO: Bug 45685. This memory allocation should come from a different pool since it
// can be larger than one page.
fbl::AllocChecker ac;
handles->reset(new (&ac) zx_info_handle_extended_t[count], count);
if (!ac.check()) {
return ZX_ERR_NO_MEMORY;
}
{
Guard<BrwLockPi, BrwLockPi::Reader> guard{&lock_};
if (count != count_) {
continue;
}
size_t index = 0;
ForEachHandleLocked([&](zx_handle_t handle, zx_rights_t rights, const Dispatcher* disp) {
auto& entry = (*handles)[index++];
entry = {disp->get_type(), handle, rights, 0u, disp->get_koid(),
disp->get_related_koid(), 0u};
return ZX_OK;
});
}
return ZX_OK;
}
}
HandleTable::HandleCursor::HandleCursor(HandleTable* handle_table) : handle_table_(handle_table) {
Guard<BrwLockPi, BrwLockPi::Writer> guard{&handle_table_->lock_};
if (!handle_table_->handles_.is_empty()) {
iter_ = handle_table_->handles_.begin();
} else {
iter_ = handle_table_->handles_.end();
}
// Register so this cursor can be invalidated or advanced if the handle it points to is removed.
handle_table_->cursors_.push_front(this);
}
HandleTable::HandleCursor::~HandleCursor() {
Guard<BrwLockPi, BrwLockPi::Writer> guard{&handle_table_->lock_};
handle_table_->cursors_.erase(*this);
}
void HandleTable::HandleCursor::Invalidate() { iter_ = handle_table_->handles_.end(); }
Handle* HandleTable::HandleCursor::Next() {
if (iter_ == handle_table_->handles_.end()) {
return nullptr;
}
Handle* result = &*iter_;
// See the note about thread-safety in |HandleCursor|'s class comment for an explanation of why
// thread-safety analysis is suppressed.
[this]() TA_NO_THREAD_SAFETY_ANALYSIS { iter_++; }();
return result;
}
void HandleTable::HandleCursor::AdvanceIf(const Handle* h) {
if (iter_ != handle_table_->handles_.end()) {
if (&*iter_ == h) {
iter_++;
}
}
}