mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-08 19:04:45 +00:00
Bug 1624138 - Bump to latest rlbox that fixes partial specialization err in clang11 + libc++. r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D68290 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
b5f7fb3be7
commit
0cda85b4cc
2
third_party/rlbox/README-mozilla
vendored
2
third_party/rlbox/README-mozilla
vendored
@ -1,7 +1,7 @@
|
||||
This directory contains the rlbox source from the upstream repo:
|
||||
https://github.com/PLSysSec/rlbox_sandboxing_api/
|
||||
|
||||
Current version: [commit b584b89a61905e79d9af86f807536c059ab5927c]
|
||||
Current version: [commit f1e6740d7b1f3ddd7ed2bc8fb173b3ac5973c863]
|
||||
|
||||
UPDATING:
|
||||
|
||||
|
44
third_party/rlbox/include/rlbox.hpp
vendored
44
third_party/rlbox/include/rlbox.hpp
vendored
@ -583,8 +583,7 @@ private:
|
||||
// Template needed to ensure that function isn't instantiated for unsupported
|
||||
// types like function pointers which causes compile errors...
|
||||
template<typename T2 = T>
|
||||
inline std::unique_ptr<T_CopyAndVerifyRangeEl[]> copy_and_verify_range_helper(
|
||||
std::size_t count) const
|
||||
inline const void* verify_range_helper(std::size_t count) const
|
||||
{
|
||||
static_assert(std::is_pointer_v<T>);
|
||||
static_assert(detail::is_fundamental_or_enum_v<T_CopyAndVerifyRangeEl>);
|
||||
@ -601,6 +600,18 @@ private:
|
||||
detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(
|
||||
start, count * sizeof(T_CopyAndVerifyRangeEl));
|
||||
|
||||
return start;
|
||||
}
|
||||
|
||||
template<typename T2 = T>
|
||||
inline std::unique_ptr<T_CopyAndVerifyRangeEl[]> copy_and_verify_range_helper(
|
||||
std::size_t count) const
|
||||
{
|
||||
const void* start = verify_range_helper(count);
|
||||
if (start == nullptr) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
auto target = std::make_unique<T_CopyAndVerifyRangeEl[]>(count);
|
||||
|
||||
for (size_t i = 0; i < count; i++) {
|
||||
@ -678,10 +689,10 @@ public:
|
||||
* @brief Copy a tainted pointer from sandbox and verify the address.
|
||||
*
|
||||
* This function is useful if you need to verify physical bits representing
|
||||
* the address of a pointed to since copy_and_verify performs a deep copy and
|
||||
* changes the address bits.
|
||||
* the address of a pointer. Other APIs such as copy_and_verify performs a
|
||||
* deep copy and changes the address bits.
|
||||
*
|
||||
* @param verifer Function used to verify the copied value.
|
||||
* @param verifier Function used to verify the copied value.
|
||||
* @tparam T_Func the type of the verifier ``T_Ret(*)(uintptr_t)``
|
||||
* @return Whatever the verifier function returns.
|
||||
*/
|
||||
@ -693,6 +704,29 @@ public:
|
||||
auto val = reinterpret_cast<uintptr_t>(impl().get_raw_value());
|
||||
return verifier(val);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Copy a tainted pointer to a buffer from sandbox and verify the
|
||||
* address.
|
||||
*
|
||||
* This function is useful if you need to verify physical bits representing
|
||||
* the address of a buffer. Other APIs such as copy_and_verify performs a
|
||||
* deep copy and changes the address bits.
|
||||
*
|
||||
* @param verifier Function used to verify the copied value.
|
||||
* @param size Size of the buffer. Buffer with length size is expected to fit
|
||||
* inside sandbox memory.
|
||||
* @tparam T_Func the type of the verifier ``T_Ret(*)(uintptr_t)``
|
||||
* @return Whatever the verifier function returns.
|
||||
*/
|
||||
template<typename T_Func>
|
||||
inline auto copy_and_verify_buffer_address(T_Func verifier, std::size_t size)
|
||||
{
|
||||
static_assert(std::is_pointer_v<T>,
|
||||
"copy_and_verify_address must be used on pointers");
|
||||
auto val = reinterpret_cast<uintptr_t>(verify_range_helper(size));
|
||||
return verifier(val);
|
||||
}
|
||||
};
|
||||
|
||||
#define BinaryOpWrappedRhs(opSymbol) \
|
||||
|
32
third_party/rlbox/include/rlbox_stdlib.hpp
vendored
32
third_party/rlbox/include/rlbox_stdlib.hpp
vendored
@ -168,4 +168,36 @@ inline T_Wrap<T_Rhs*, T_Sbx> memcpy(rlbox_sandbox<T_Sbx>& sandbox,
|
||||
return dest;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Compare data in sandbox memory area.
|
||||
*/
|
||||
template<typename T_Sbx, typename T_Rhs, typename T_Lhs, typename T_Num>
|
||||
inline tainted_int_hint memcmp(rlbox_sandbox<T_Sbx>& sandbox,
|
||||
T_Rhs&& dest,
|
||||
T_Lhs&& src,
|
||||
T_Num&& num)
|
||||
{
|
||||
static_assert(
|
||||
detail::rlbox_is_tainted_or_vol_v<detail::remove_cv_ref_t<T_Rhs>> ||
|
||||
detail::rlbox_is_tainted_or_vol_v<detail::remove_cv_ref_t<T_Lhs>>,
|
||||
"memcmp called on non wrapped type");
|
||||
|
||||
auto num_val = detail::unwrap_value(num);
|
||||
detail::dynamic_check(num_val <= sandbox.get_total_memory(),
|
||||
"Called memcmp for memory larger than the sandbox");
|
||||
|
||||
void* dest_start = dest.INTERNAL_unverified_safe();
|
||||
detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(dest_start, num_val);
|
||||
|
||||
// src also needs to be checked, as we don't want to allow a src rand to start
|
||||
// inside the sandbox and end outside, and vice versa
|
||||
// src may or may not be a wrapper, so use unwrap_value
|
||||
const void* src_start = detail::unwrap_value(src);
|
||||
detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(src_start, num_val);
|
||||
|
||||
int ret = std::memcmp(dest_start, src_start, num_val);
|
||||
tainted_int_hint converted_ret(ret);
|
||||
return converted_ret;
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -383,7 +383,7 @@ namespace convert_detail {
|
||||
T_LongLongType,
|
||||
T_PointerType,
|
||||
std::enable_if_t<std::is_unsigned_v<T> && !std::is_same_v<T, bool> &&
|
||||
!std::is_const_v<T>>>
|
||||
!std::is_const_v<T> && !std::is_enum_v<T>>>
|
||||
{
|
||||
using type = std::make_unsigned_t<
|
||||
typename convert_base_types_t_helper<std::make_signed_t<T>,
|
||||
@ -407,9 +407,10 @@ namespace convert_detail {
|
||||
T_LongType,
|
||||
T_LongLongType,
|
||||
T_PointerType,
|
||||
std::enable_if_t<(std::is_same_v<bool, T> || std::is_same_v<void, T> ||
|
||||
std::is_same_v<char, T> || std::is_floating_point_v<T> ||
|
||||
std::is_enum_v<T>)&&!std::is_const_v<T>>>
|
||||
std::enable_if_t<(
|
||||
std::is_same_v<bool, T> || std::is_same_v<void, T> ||
|
||||
std::is_same_v<char, T> || std::is_same_v<signed char, T> ||
|
||||
std::is_floating_point_v<T> || std::is_enum_v<T>)&&!std::is_const_v<T>>>
|
||||
{
|
||||
using type = T;
|
||||
};
|
||||
|
34
third_party/rlbox/include/rlbox_types.hpp
vendored
34
third_party/rlbox/include/rlbox_types.hpp
vendored
@ -51,6 +51,40 @@ public:
|
||||
inline auto INTERNAL_unverified_safe() const { return UNSAFE_unverified(); }
|
||||
};
|
||||
|
||||
/**
|
||||
* @brief Tainted integer value that serves as a "hint" and not a definite
|
||||
* answer. Comparisons with a tainted_volatile return such hints. They are
|
||||
* not `tainted<int>` values because a compromised sandbox can modify
|
||||
* tainted_volatile data at any time.
|
||||
*/
|
||||
class tainted_int_hint
|
||||
{
|
||||
private:
|
||||
int val;
|
||||
|
||||
public:
|
||||
tainted_int_hint(int init)
|
||||
: val(init)
|
||||
{}
|
||||
tainted_int_hint(const tainted_int_hint&) = default;
|
||||
inline tainted_int_hint& operator=(int rhs)
|
||||
{
|
||||
val = rhs;
|
||||
return *this;
|
||||
}
|
||||
inline tainted_boolean_hint operator!() { return tainted_boolean_hint(!val); }
|
||||
template<size_t N>
|
||||
inline int unverified_safe_because(const char (&reason)[N]) const
|
||||
{
|
||||
(void)reason; /* unused */
|
||||
return val;
|
||||
}
|
||||
inline int UNSAFE_unverified() const { return val; }
|
||||
inline int UNSAFE_unverified() { return val; }
|
||||
inline auto INTERNAL_unverified_safe() { return UNSAFE_unverified(); }
|
||||
inline auto INTERNAL_unverified_safe() const { return UNSAFE_unverified(); }
|
||||
};
|
||||
|
||||
template<typename T_Sbx>
|
||||
class rlbox_sandbox;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user