Non-SFI NaCl: Avoid exposing validation caching key to Non-SFI nexes

This per-profile key is an extra input into the hashing that NaCl's
validation cache does.

Hiding this key means that even if we did accidentally expose
SetKnownToValidate() to Non-SFI nexes, the nexe wouldn't be able to
create a hole in the SFI NaCl sandbox.

We should hide this key to reduce the attacker's ability to generate
collisions in hash-based caching.

Also hide some other startup parameters that aren't relevant to Non-SFI
mode.

BUG=367263
TEST=browser_tests
R=jln@chromium.org

Review URL: https://codereview.chromium.org/275513002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@269270 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 10 insertions, 4 deletions

diff --git a/components/nacl/loader/nacl_listener.cc b/components/nacl/loader/nacl_listener.cc
index f49e3f3..e7b8f4c 100644
--- a/components/nacl/loader/nacl_listener.cc
+++ b/components/nacl/loader/nacl_listener.cc
@@ -375,10 +375,16 @@ void NaClListener::OnStart(const nacl::NaClStartParams& params) {
 
 #if defined(OS_LINUX)
   if (uses_nonsfi_mode_) {
-    if (params.uses_irt) {
-      LOG(ERROR) << "IRT must not be used for non-SFI NaCl.";
-      return;
-    }
+    // Ensure that the validation cache key (used as an extra input to the
+    // validation cache's hashing) isn't exposed accidentally.
+    CHECK(!params.validation_cache_enabled);
+    CHECK(params.validation_cache_key.size() == 0);
+    CHECK(params.version.size() == 0);
+    // Ensure that a debug stub FD isn't passed through accidentally.
+    CHECK(!params.enable_debug_stub);
+    CHECK(params.debug_stub_server_bound_socket.fd == -1);
+
+    CHECK(!params.uses_irt);
     CHECK(handles.size() == 1);
     int imc_bootstrap_handle = nacl::ToNativeHandle(handles[0]);
     nacl::nonsfi::MainStart(imc_bootstrap_handle);