Bug 1624138 - Bump to latest rlbox that fixes partial specialization err in clang11 + libc++. r=froydnj

Differential Revision: https://phabricator.services.mozilla.com/D68290 --HG-- extra : moz-landing-system : lando
2024-10-08 19:04:45 +00:00 · 2020-03-27 14:07:33 +00:00 · 2020-03-27 14:07:33 +00:00 · 0cda85b4cc
commit 0cda85b4cc
parent b5f7fb3be7
5 changed files with 111 additions and 10 deletions
--- a/third_party/rlbox/README-mozilla
+++ b/third_party/rlbox/README-mozilla
@ -1,7 +1,7 @@
 This directory contains the rlbox source from the upstream repo:
 https://github.com/PLSysSec/rlbox_sandboxing_api/

-Current version: [commit b584b89a61905e79d9af86f807536c059ab5927c]
+Current version: [commit f1e6740d7b1f3ddd7ed2bc8fb173b3ac5973c863]

 UPDATING:

--- a/third_party/rlbox/include/rlbox.hpp
+++ b/third_party/rlbox/include/rlbox.hpp
@ -583,8 +583,7 @@ private:
  // Template needed to ensure that function isn't instantiated for unsupported
  // types like function pointers which causes compile errors...
  template<typename T2 = T>
-  inline std::unique_ptr<T_CopyAndVerifyRangeEl[]> copy_and_verify_range_helper(
-    std::size_t count) const
+  inline const void* verify_range_helper(std::size_t count) const
  {
    static_assert(std::is_pointer_v<T>);
    static_assert(detail::is_fundamental_or_enum_v<T_CopyAndVerifyRangeEl>);
@ -601,6 +600,18 @@ private:
    detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(
      start, count * sizeof(T_CopyAndVerifyRangeEl));

+    return start;
+  }
+
+  template<typename T2 = T>
+  inline std::unique_ptr<T_CopyAndVerifyRangeEl[]> copy_and_verify_range_helper(
+    std::size_t count) const
+  {
+    const void* start = verify_range_helper(count);
+    if (start == nullptr) {
+      return nullptr;
+    }
+
    auto target = std::make_unique<T_CopyAndVerifyRangeEl[]>(count);

    for (size_t i = 0; i < count; i++) {
@ -678,10 +689,10 @@ public:
   * @brief Copy a tainted pointer from sandbox and verify the address.
   *
   * This function is useful if you need to verify physical bits representing
-   * the address of a pointed to since copy_and_verify performs a deep copy and
-   * changes the address bits.
+   * the address of a pointer. Other APIs such as copy_and_verify performs a
+   * deep copy and changes the address bits.
   *
-   * @param verifer Function used to verify the copied value.
+   * @param verifier Function used to verify the copied value.
   * @tparam T_Func the type of the verifier ``T_Ret(*)(uintptr_t)``
   * @return Whatever the verifier function returns.
   */
@ -693,6 +704,29 @@ public:
    auto val = reinterpret_cast<uintptr_t>(impl().get_raw_value());
    return verifier(val);
  }
+
+  /**
+   * @brief Copy a tainted pointer to a buffer from sandbox and verify the
+   * address.
+   *
+   * This function is useful if you need to verify physical bits representing
+   * the address of a buffer. Other APIs such as copy_and_verify performs a
+   * deep copy and changes the address bits.
+   *
+   * @param verifier Function used to verify the copied value.
+   * @param size Size of the buffer. Buffer with length size is expected to fit
+   * inside sandbox memory.
+   * @tparam T_Func the type of the verifier ``T_Ret(*)(uintptr_t)``
+   * @return Whatever the verifier function returns.
+   */
+  template<typename T_Func>
+  inline auto copy_and_verify_buffer_address(T_Func verifier, std::size_t size)
+  {
+    static_assert(std::is_pointer_v<T>,
+                  "copy_and_verify_address must be used on pointers");
+    auto val = reinterpret_cast<uintptr_t>(verify_range_helper(size));
+    return verifier(val);
+  }
 };

 #define BinaryOpWrappedRhs(opSymbol)                                           \
--- a/third_party/rlbox/include/rlbox_stdlib.hpp
+++ b/third_party/rlbox/include/rlbox_stdlib.hpp
@ -168,4 +168,36 @@ inline T_Wrap<T_Rhs*, T_Sbx> memcpy(rlbox_sandbox<T_Sbx>& sandbox,
  return dest;
 }

+/**
+ * @brief Compare data in sandbox memory area.
+ */
+template<typename T_Sbx, typename T_Rhs, typename T_Lhs, typename T_Num>
+inline tainted_int_hint memcmp(rlbox_sandbox<T_Sbx>& sandbox,
+                               T_Rhs&& dest,
+                               T_Lhs&& src,
+                               T_Num&& num)
+{
+  static_assert(
+    detail::rlbox_is_tainted_or_vol_v<detail::remove_cv_ref_t<T_Rhs>> ||
+      detail::rlbox_is_tainted_or_vol_v<detail::remove_cv_ref_t<T_Lhs>>,
+    "memcmp called on non wrapped type");
+
+  auto num_val = detail::unwrap_value(num);
+  detail::dynamic_check(num_val <= sandbox.get_total_memory(),
+                        "Called memcmp for memory larger than the sandbox");
+
+  void* dest_start = dest.INTERNAL_unverified_safe();
+  detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(dest_start, num_val);
+
+  // src also needs to be checked, as we don't want to allow a src rand to start
+  // inside the sandbox and end outside, and vice versa
+  // src may or may not be a wrapper, so use unwrap_value
+  const void* src_start = detail::unwrap_value(src);
+  detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(src_start, num_val);
+
+  int ret = std::memcmp(dest_start, src_start, num_val);
+  tainted_int_hint converted_ret(ret);
+  return converted_ret;
+}
+
 }
--- a/third_party/rlbox/include/rlbox_type_traits.hpp
+++ b/third_party/rlbox/include/rlbox_type_traits.hpp
@ -383,7 +383,7 @@ namespace convert_detail {
    T_LongLongType,
    T_PointerType,
    std::enable_if_t<std::is_unsigned_v<T> && !std::is_same_v<T, bool> &&
-                     !std::is_const_v<T>>>
+                     !std::is_const_v<T> && !std::is_enum_v<T>>>
  {
    using type = std::make_unsigned_t<
      typename convert_base_types_t_helper<std::make_signed_t<T>,
@ -407,9 +407,10 @@ namespace convert_detail {
    T_LongType,
    T_LongLongType,
    T_PointerType,
-    std::enable_if_t<(std::is_same_v<bool, T> || std::is_same_v<void, T> ||
-                      std::is_same_v<char, T> || std::is_floating_point_v<T> ||
-                      std::is_enum_v<T>)&&!std::is_const_v<T>>>
+    std::enable_if_t<(
+      std::is_same_v<bool, T> || std::is_same_v<void, T> ||
+      std::is_same_v<char, T> || std::is_same_v<signed char, T> ||
+      std::is_floating_point_v<T> || std::is_enum_v<T>)&&!std::is_const_v<T>>>
  {
    using type = T;
  };
--- a/third_party/rlbox/include/rlbox_types.hpp
+++ b/third_party/rlbox/include/rlbox_types.hpp
@ -51,6 +51,40 @@ public:
  inline auto INTERNAL_unverified_safe() const { return UNSAFE_unverified(); }
 };

+/**
+ * @brief Tainted integer value that serves as a "hint" and not a definite
+ * answer.  Comparisons with a tainted_volatile return such hints.  They are
+ * not `tainted<int>` values because a compromised sandbox can modify
+ * tainted_volatile data at any time.
+ */
+class tainted_int_hint
+{
+private:
+  int val;
+
+public:
+  tainted_int_hint(int init)
+    : val(init)
+  {}
+  tainted_int_hint(const tainted_int_hint&) = default;
+  inline tainted_int_hint& operator=(int rhs)
+  {
+    val = rhs;
+    return *this;
+  }
+  inline tainted_boolean_hint operator!() { return tainted_boolean_hint(!val); }
+  template<size_t N>
+  inline int unverified_safe_because(const char (&reason)[N]) const
+  {
+    (void)reason; /* unused */
+    return val;
+  }
+  inline int UNSAFE_unverified() const { return val; }
+  inline int UNSAFE_unverified() { return val; }
+  inline auto INTERNAL_unverified_safe() { return UNSAFE_unverified(); }
+  inline auto INTERNAL_unverified_safe() const { return UNSAFE_unverified(); }
+};
+
 template<typename T_Sbx>
 class rlbox_sandbox;