| // Copyright 2017 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| // Helper routines to call function pointers stored in protected memory with |
| // Control Flow Integrity indirect call checking disabled. Some indirect calls, |
| // e.g. dynamically resolved symbols in another DSO, can not be accounted for by |
| // CFI-icall. These routines allow those symbols to be called without CFI-icall |
| // checking safely by ensuring that they are placed in protected memory. |
| |
| #ifndef BASE_MEMORY_PROTECTED_MEMORY_CFI_H_ |
| #define BASE_MEMORY_PROTECTED_MEMORY_CFI_H_ |
| |
| #include <utility> |
| |
| #include "base/cfi_buildflags.h" |
| #include "base/compiler_specific.h" |
| #include "base/macros.h" |
| #include "base/memory/protected_memory.h" |
| #include "build/build_config.h" |
| |
| #if BUILDFLAG(CFI_ICALL_CHECK) && !PROTECTED_MEMORY_ENABLED |
| #error "CFI-icall enabled for platform without protected memory support" |
| #endif // BUILDFLAG(CFI_ICALL_CHECK) && !PROTECTED_MEMORY_ENABLED |
| |
| namespace base { |
| namespace internal { |
| |
| // This class is used to exempt calls to function pointers stored in |
| // ProtectedMemory from cfi-icall checking. It's not secure to use directly, it |
| // should only be used by the UnsanitizedCfiCall() functions below. Given an |
| // UnsanitizedCfiCall object, you can use operator() to call the encapsulated |
| // function pointer without cfi-icall checking. |
| template <typename FunctionType> |
| class UnsanitizedCfiCall { |
| public: |
| explicit UnsanitizedCfiCall(FunctionType function) : function_(function) {} |
| UnsanitizedCfiCall(UnsanitizedCfiCall&&) = default; |
| |
| template <typename... Args> |
| NO_SANITIZE("cfi-icall") |
| auto operator()(Args&&... args) { |
| return function_(std::forward<Args>(args)...); |
| } |
| |
| private: |
| FunctionType function_; |
| |
| DISALLOW_IMPLICIT_CONSTRUCTORS(UnsanitizedCfiCall); |
| }; |
| |
| } // namespace internal |
| |
| // These functions can be used to call function pointers in ProtectedMemory |
| // without cfi-icall checking. They are intended to be used to create an |
| // UnsanitizedCfiCall object and immediately call it. UnsanitizedCfiCall objects |
| // should not initialized directly or stored because they hold a function |
| // pointer that will be called without CFI-icall checking in mutable memory. The |
| // functions can be used as shown below: |
| |
| // ProtectedMemory<void (*)(int)> p; |
| // UnsanitizedCfiCall(p)(5); /* In place of (*p)(5); */ |
| |
| template <typename T> |
| auto UnsanitizedCfiCall(const ProtectedMemory<T>& PM) { |
| #if PROTECTED_MEMORY_ENABLED |
| DCHECK(&PM >= ProtectedMemoryStart && &PM < ProtectedMemoryEnd); |
| #endif // PROTECTED_MEMORY_ENABLED |
| return internal::UnsanitizedCfiCall<T>(*PM); |
| } |
| |
| // struct S { void (*fp)(int); } s; |
| // ProtectedMemory<S> p; |
| // UnsanitizedCfiCall(p, &S::fp)(5); /* In place of p->fp(5); */ |
| |
| template <typename T, typename Member> |
| auto UnsanitizedCfiCall(const ProtectedMemory<T>& PM, Member member) { |
| #if PROTECTED_MEMORY_ENABLED |
| DCHECK(&PM >= ProtectedMemoryStart && &PM < ProtectedMemoryEnd); |
| #endif // PROTECTED_MEMORY_ENABLED |
| return internal::UnsanitizedCfiCall<decltype(*PM.*member)>(*PM.*member); |
| } |
| |
| } // namespace base |
| |
| #endif // BASE_MEMORY_PROTECTED_MEMORY_CFI_H_ |
