diff options
| -rw-r--r-- | chrome/browser/chrome_content_browser_client.cc | 1 | ||||
| -rw-r--r-- | chrome/chrome.gyp | 14 | ||||
| -rw-r--r-- | chrome/chrome_common.gypi | 3 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.cc | 3 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.h | 1 | ||||
| -rw-r--r-- | chrome/common/external_ipc_fuzzer.cc | 39 | ||||
| -rw-r--r-- | chrome/common/external_ipc_fuzzer.h | 13 | ||||
| -rw-r--r-- | chrome/renderer/chrome_content_renderer_client.cc | 4 | ||||
| -rw-r--r-- | chrome/tools/ipclist/ipcfuzz.cc | 690 | ||||
| -rw-r--r-- | content/public/renderer/render_thread.h | 2 | ||||
| -rw-r--r-- | content/public/test/mock_render_thread.cc | 4 | ||||
| -rw-r--r-- | content/public/test/mock_render_thread.h | 2 | ||||
| -rw-r--r-- | content/renderer/render_thread_impl.cc | 4 | ||||
| -rw-r--r-- | content/renderer/render_thread_impl.h | 2 | ||||
| -rw-r--r-- | ipc/ipc_channel_proxy.cc | 4 | ||||
| -rw-r--r-- | ipc/ipc_channel_proxy.h | 19 |
16 files changed, 0 insertions, 805 deletions
diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc index 3b59915..6f65f63 100644 --- a/chrome/browser/chrome_content_browser_client.cc +++ b/chrome/browser/chrome_content_browser_client.cc @@ -1478,7 +1478,6 @@ void ChromeContentBrowserClient::AppendExtraCommandLineSwitches( switches::kEnableAdviewSrcAttribute, switches::kEnableAppWindowControls, switches::kEnableBenchmarking, - switches::kEnableIPCFuzzing, switches::kEnableNaCl, switches::kEnableNetBenchmarking, switches::kEnableWatchdog, diff --git a/chrome/chrome.gyp b/chrome/chrome.gyp index 3ecffc1..da2ac9a 100644 --- a/chrome/chrome.gyp +++ b/chrome/chrome.gyp @@ -808,20 +808,6 @@ }], ], }, - { - 'target_name': 'ipcfuzz', - 'type': 'loadable_module', - 'include_dirs': [ - '..', - ], - 'dependencies': [ - 'test_support_common', - '../skia/skia.gyp:skia', - ], - 'sources': [ - 'tools/ipclist/ipcfuzz.cc', - ], - }, ], }], # OS=="linux" ['OS=="win"', diff --git a/chrome/chrome_common.gypi b/chrome/chrome_common.gypi index 05ee3b14..2367b4f 100644 --- a/chrome/chrome_common.gypi +++ b/chrome/chrome_common.gypi @@ -284,8 +284,6 @@ 'common/extensions/web_accessible_resources_handler.h', 'common/extensions/webview_handler.cc', 'common/extensions/webview_handler.h', - 'common/external_ipc_fuzzer.cc', - 'common/external_ipc_fuzzer.h', 'common/favicon/favicon_types.cc', 'common/favicon/favicon_types.h', 'common/favicon/favicon_url_parser.cc', @@ -478,7 +476,6 @@ ['exclude', '^common/common_param_traits'], ['exclude', '^common/custom_handlers/'], ['exclude', '^common/extensions/'], - ['exclude', '^common/external_ipc_fuzzer\\.'], ['exclude', '^common/logging_chrome\\.'], ['exclude', '^common/multi_process_'], ['exclude', '^common/nacl_'], diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc index 5f154b0..8bdf30c 100644 --- a/chrome/common/chrome_switches.cc +++ b/chrome/common/chrome_switches.cc @@ -637,9 +637,6 @@ const char kEnableInstantExtendedAPI[] = "enable-instant-extended-api"; // "disable-ipv6" which appears elswhere in this file. const char kEnableIPv6[] = "enable-ipv6"; -/// Enables the IPC fuzzer for reliability testing -const char kEnableIPCFuzzing[] = "enable-ipc-fuzzing"; - // Enables IP Pooling within the networks stack (SPDY only). When a connection // is needed for a domain which shares an IP with an existing connection, // attempt to use the existing connection. diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h index 42fad7b..d66d117 100644 --- a/chrome/common/chrome_switches.h +++ b/chrome/common/chrome_switches.h @@ -184,7 +184,6 @@ extern const char kEnableGoogleNowIntegration[]; extern const char kEnableHttp2Draft04[]; extern const char kEnableInlineSignin[]; extern const char kEnableInstantExtendedAPI[]; -extern const char kEnableIPCFuzzing[]; extern const char kEnableIPPooling[]; extern const char kEnableIPv6[]; extern const char kEnableLocalFirstLoadNTP[]; diff --git a/chrome/common/external_ipc_fuzzer.cc b/chrome/common/external_ipc_fuzzer.cc deleted file mode 100644 index 10416c4..0000000 --- a/chrome/common/external_ipc_fuzzer.cc +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "chrome/common/external_ipc_fuzzer.h" - -#if defined(OS_LINUX) -#include <dlfcn.h> - -typedef IPC::ChannelProxy::OutgoingMessageFilter *(*GetFuzzerFunction)(); -const char kFuzzLibraryName[] = "libipcfuzz.so"; -const char kFuzzEntryName[] = "GetFilter"; -#endif - -IPC::ChannelProxy::OutgoingMessageFilter* LoadExternalIPCFuzzer() { - IPC::ChannelProxy::OutgoingMessageFilter* result = NULL; - -#if defined(OS_LINUX) - // Fuzz is currently linux-only feature - void *fuzz_library = dlopen(kFuzzLibraryName, RTLD_NOW); - if (fuzz_library) { - GetFuzzerFunction fuzz_entry_point = - reinterpret_cast<GetFuzzerFunction>( - dlsym(fuzz_library, kFuzzEntryName)); - - if (fuzz_entry_point) - result = fuzz_entry_point(); - } - - if (!result) - LOG(WARNING) << dlerror() << "\n"; - -#endif // OS_LINUX - - return result; -} - - - diff --git a/chrome/common/external_ipc_fuzzer.h b/chrome/common/external_ipc_fuzzer.h deleted file mode 100644 index 7f8fc63..0000000 --- a/chrome/common/external_ipc_fuzzer.h +++ /dev/null @@ -1,13 +0,0 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef CHROME_COMMON_EXTERNAL_IPC_FUZZER_H_ -#define CHROME_COMMON_EXTERNAL_IPC_FUZZER_H_ - -#include "ipc/ipc_channel_proxy.h" - -IPC::ChannelProxy::OutgoingMessageFilter* LoadExternalIPCFuzzer(); - -#endif // CHROME_COMMON_EXTERNAL_IPC_FUZZER_H_ - diff --git a/chrome/renderer/chrome_content_renderer_client.cc b/chrome/renderer/chrome_content_renderer_client.cc index 8c7ef46..912a374 100644 --- a/chrome/renderer/chrome_content_renderer_client.cc +++ b/chrome/renderer/chrome_content_renderer_client.cc @@ -23,7 +23,6 @@ #include "chrome/common/extensions/extension_constants.h" #include "chrome/common/extensions/extension_process_policy.h" #include "chrome/common/extensions/extension_set.h" -#include "chrome/common/external_ipc_fuzzer.h" #include "chrome/common/localized_error.h" #include "chrome/common/pepper_permission_util.h" #include "chrome/common/render_messages.h" @@ -295,9 +294,6 @@ void ChromeContentRendererClient::RenderThreadStarted() { thread->RegisterExtension(extensions_v8::PlaybackExtension::Get()); } - if (command_line->HasSwitch(switches::kEnableIPCFuzzing)) { - thread->GetChannel()->set_outgoing_message_filter(LoadExternalIPCFuzzer()); - } // chrome:, chrome-search:, chrome-devtools:, and chrome-internal: pages // should not be accessible by normal content, and should also be unable to // script anything but themselves (to help limit the damage that a corrupt diff --git a/chrome/tools/ipclist/ipcfuzz.cc b/chrome/tools/ipclist/ipcfuzz.cc deleted file mode 100644 index 40845d7..0000000 --- a/chrome/tools/ipclist/ipcfuzz.cc +++ /dev/null @@ -1,690 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include <algorithm> -#include <ostream> -#include <set> -#include <vector> - -#include "base/command_line.h" -#include "base/containers/hash_tables.h" -#include "base/memory/scoped_ptr.h" -#include "base/memory/singleton.h" -#include "base/message_loop/message_loop.h" -#include "base/pickle.h" -#include "base/strings/string_number_conversions.h" -#include "base/strings/string_util.h" -#include "base/strings/utf_string_conversions.h" -#include "base/threading/thread.h" -#include "base/time/time.h" -#include "chrome/common/all_messages.h" -#include "content/common/all_messages.h" -#include "ipc/ipc_message.h" -#include "ipc/ipc_message_utils.h" -#include "ipc/ipc_switches.h" -#include "ipc/ipc_sync_channel.h" -#include "ipc/ipc_sync_message.h" - -#if defined(OS_POSIX) -#include <unistd.h> -#endif - -namespace IPC { -class Message; - -// Interface implemented by those who fuzz basic types. The types all -// correspond to the types which a pickle from base/pickle.h can pickle, -// plus the floating point types. -class Fuzzer { - public: - // Select a message for fuzzing. - virtual bool FuzzThisMessage(const IPC::Message *msg) = 0; - - // Tweak individual values within a message. - virtual void FuzzBool(bool* value) = 0; - virtual void FuzzInt(int* value) = 0; - virtual void FuzzLong(long* value) = 0; - virtual void FuzzSize(size_t* value) = 0; - virtual void FuzzUChar(unsigned char *value) = 0; - virtual void FuzzUInt16(uint16* value) = 0; - virtual void FuzzUInt32(uint32* value) = 0; - virtual void FuzzInt64(int64* value) = 0; - virtual void FuzzUInt64(uint64* value) = 0; - virtual void FuzzFloat(float *value) = 0; - virtual void FuzzDouble(double *value) = 0; - virtual void FuzzString(std::string* value) = 0; - virtual void FuzzWString(std::wstring* value) = 0; - virtual void FuzzString16(string16* value) = 0; - virtual void FuzzData(char* data, int length) = 0; - virtual void FuzzBytes(void* data, int data_len) = 0; -}; - -} // namespace IPC - -namespace { - -template <typename T> -void FuzzIntegralType(T* value, unsigned int frequency) { - if (rand() % frequency == 0) { - switch (rand() % 4) { - case 0: (*value) = 0; break; - case 1: (*value)--; break; - case 2: (*value)++; break; - case 3: (*value) ^= rand(); break; - } - } -} - -template <typename T> -void FuzzStringType(T* value, unsigned int frequency, - const T& literal1, const T& literal2) { - if (rand() % frequency == 0) { - switch (rand() % 5) { - case 4: (*value) = (*value) + (*value); // FALLTHROUGH - case 3: (*value) = (*value) + (*value); // FALLTHROUGH - case 2: (*value) = (*value) + (*value); break; - case 1: (*value) += literal1; break; - case 0: (*value) = literal2; break; - } - } -} - -} // namespace - -// One such fuzzer implementation. -class DefaultFuzzer : public IPC::Fuzzer { - public: - static const int DEFAULT_FREQUENCY = 23; - - DefaultFuzzer() : frequency_(DEFAULT_FREQUENCY) { - const char *env_var; - if ((env_var = getenv("CHROME_IPC_FUZZING_LIST"))) { - std::string str = std::string(env_var); - size_t pos; - while ((pos = str.find_first_of(',')) != std::string::npos) { - message_set_.insert(atoi(str.substr(0, pos).c_str())); - str = str.substr(pos+1); - } - message_set_.insert(atoi(str.c_str())); - } - - if ((env_var = getenv("CHROME_IPC_FUZZING_SEED"))) { - int new_seed = atoi(env_var); - if (new_seed) - srand(new_seed); - } - - if ((env_var = getenv("CHROME_IPC_FUZZING_FREQUENCY"))) { - unsigned int new_frequency = atoi(env_var); - if (new_frequency) - frequency_ = new_frequency; - } - } - - virtual ~DefaultFuzzer() {} - - virtual bool FuzzThisMessage(const IPC::Message *msg) OVERRIDE { - return (message_set_.empty() || - std::find(message_set_.begin(), - message_set_.end(), - msg->type()) != message_set_.end()); - } - - virtual void FuzzBool(bool* value) OVERRIDE { - if (rand() % frequency_ == 0) - (*value) = !(*value); - } - - virtual void FuzzInt(int* value) OVERRIDE { - FuzzIntegralType<int>(value, frequency_); - } - - virtual void FuzzLong(long* value) OVERRIDE { - FuzzIntegralType<long>(value, frequency_); - } - - virtual void FuzzSize(size_t* value) OVERRIDE { - FuzzIntegralType<size_t>(value, frequency_); - } - - virtual void FuzzUChar(unsigned char* value) OVERRIDE { - FuzzIntegralType<unsigned char>(value, frequency_); - } - - virtual void FuzzUInt16(uint16* value) OVERRIDE { - FuzzIntegralType<uint16>(value, frequency_); - } - - virtual void FuzzUInt32(uint32* value) OVERRIDE { - FuzzIntegralType<uint32>(value, frequency_); - } - - virtual void FuzzInt64(int64* value) OVERRIDE { - FuzzIntegralType<int64>(value, frequency_); - } - - virtual void FuzzUInt64(uint64* value) OVERRIDE { - FuzzIntegralType<uint64>(value, frequency_); - } - - virtual void FuzzFloat(float* value) OVERRIDE { - if (rand() % frequency_ == 0) - (*value) *= rand() / 1000000.0; - } - - virtual void FuzzDouble(double* value) OVERRIDE { - if (rand() % frequency_ == 0) - (*value) *= rand() / 1000000.0; - } - - virtual void FuzzString(std::string* value) OVERRIDE { - FuzzStringType<std::string>(value, frequency_, "BORKED", std::string()); - } - - virtual void FuzzWString(std::wstring* value) OVERRIDE { - FuzzStringType<std::wstring>(value, frequency_, L"BORKED", std::wstring()); - } - - virtual void FuzzString16(string16* value) OVERRIDE { - FuzzStringType<string16>(value, frequency_, - WideToUTF16(L"BORKED"), - WideToUTF16(std::wstring())); - } - - virtual void FuzzData(char* data, int length) OVERRIDE { - if (rand() % frequency_ == 0) { - for (int i = 0; i < length; ++i) { - FuzzIntegralType<char>(&data[i], frequency_); - } - } - } - - virtual void FuzzBytes(void* data, int data_len) OVERRIDE { - FuzzData(static_cast<char*>(data), data_len); - } - - private: - std::set<int> message_set_; - unsigned int frequency_; -}; - - -// No-op fuzzer. Rewrites each message unchanged to check if the message -// re-assembly is legit. -class NoOpFuzzer : public IPC::Fuzzer { - public: - NoOpFuzzer() {} - virtual ~NoOpFuzzer() {} - - virtual bool FuzzThisMessage(const IPC::Message *msg) OVERRIDE { - return true; - } - - virtual void FuzzBool(bool* value) OVERRIDE {} - virtual void FuzzInt(int* value) OVERRIDE {} - virtual void FuzzLong(long* value) OVERRIDE {} - virtual void FuzzSize(size_t* value) OVERRIDE {} - virtual void FuzzUChar(unsigned char* value) OVERRIDE {} - virtual void FuzzUInt16(uint16* value) OVERRIDE {} - virtual void FuzzUInt32(uint32* value) OVERRIDE {} - virtual void FuzzInt64(int64* value) OVERRIDE {} - virtual void FuzzUInt64(uint64* value) OVERRIDE {} - virtual void FuzzFloat(float* value) OVERRIDE {} - virtual void FuzzDouble(double* value) OVERRIDE {} - virtual void FuzzString(std::string* value) OVERRIDE {} - virtual void FuzzWString(std::wstring* value) OVERRIDE {} - virtual void FuzzString16(string16* value) OVERRIDE {} - virtual void FuzzData(char* data, int length) OVERRIDE {} - virtual void FuzzBytes(void* data, int data_len) OVERRIDE {} -}; - -class FuzzerFactory { - public: - static IPC::Fuzzer *NewFuzzer(const std::string& name) { - if (name == "no-op") - return new NoOpFuzzer(); - else - return new DefaultFuzzer(); - } -}; - -// Partially-specialized class that knows how to fuzz a given type. -template <class P> -struct FuzzTraits { - static void Fuzz(P* p, IPC::Fuzzer *fuzzer) {} -}; - -// Template function to invoke partially-specialized class method. -template <class P> -static void FuzzParam(P* p, IPC::Fuzzer* fuzzer) { - FuzzTraits<P>::Fuzz(p, fuzzer); -} - -// Specializations to fuzz primitive types. -template <> -struct FuzzTraits<bool> { - static void Fuzz(bool* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzBool(p); - } -}; - -template <> -struct FuzzTraits<int> { - static void Fuzz(int* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzInt(p); - } -}; - -template <> -struct FuzzTraits<unsigned int> { - static void Fuzz(unsigned int* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzInt(reinterpret_cast<int*>(p)); - } -}; - -template <> -struct FuzzTraits<long> { - static void Fuzz(long* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzLong(p); - } -}; - -template <> -struct FuzzTraits<unsigned long> { - static void Fuzz(unsigned long* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzLong(reinterpret_cast<long*>(p)); - } -}; - -template <> -struct FuzzTraits<long long> { - static void Fuzz(long long* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzInt64(reinterpret_cast<int64*>(p)); - } -}; - -template <> -struct FuzzTraits<unsigned long long> { - static void Fuzz(unsigned long long* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzInt64(reinterpret_cast<int64*>(p)); - } -}; - -template <> -struct FuzzTraits<short> { - static void Fuzz(short* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzUInt16(reinterpret_cast<uint16*>(p)); - } -}; - -template <> -struct FuzzTraits<unsigned short> { - static void Fuzz(unsigned short* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzUInt16(reinterpret_cast<uint16*>(p)); - } -}; - -template <> -struct FuzzTraits<char> { - static void Fuzz(char* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzUChar(reinterpret_cast<unsigned char*>(p)); - } -}; - -template <> -struct FuzzTraits<unsigned char> { - static void Fuzz(unsigned char* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzUChar(p); - } -}; - -template <> -struct FuzzTraits<float> { - static void Fuzz(float* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzFloat(p); - } -}; - -template <> -struct FuzzTraits<double> { - static void Fuzz(double* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzDouble(p); - } -}; - -template <> -struct FuzzTraits<std::string> { - static void Fuzz(std::string* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzString(p); - } -}; - -template <> -struct FuzzTraits<std::wstring> { - static void Fuzz(std::wstring* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzWString(p); - } -}; - -template <> -struct FuzzTraits<string16> { - static void Fuzz(string16* p, IPC::Fuzzer* fuzzer) { - fuzzer->FuzzString16(p); - } -}; - -// Specializations to fuzz tuples. -template <class A> -struct FuzzTraits<Tuple1<A> > { - static void Fuzz(Tuple1<A>* p, IPC::Fuzzer* fuzzer) { - FuzzParam(&p->a, fuzzer); - } -}; - -template <class A, class B> -struct FuzzTraits<Tuple2<A, B> > { - static void Fuzz(Tuple2<A, B>* p, IPC::Fuzzer* fuzzer) { - FuzzParam(&p->a, fuzzer); - FuzzParam(&p->b, fuzzer); - } -}; - -template <class A, class B, class C> -struct FuzzTraits<Tuple3<A, B, C> > { - static void Fuzz(Tuple3<A, B, C>* p, IPC::Fuzzer* fuzzer) { - FuzzParam(&p->a, fuzzer); - FuzzParam(&p->b, fuzzer); - FuzzParam(&p->c, fuzzer); - } -}; - -template <class A, class B, class C, class D> -struct FuzzTraits<Tuple4<A, B, C, D> > { - static void Fuzz(Tuple4<A, B, C, D>* p, IPC::Fuzzer* fuzzer) { - FuzzParam(&p->a, fuzzer); - FuzzParam(&p->b, fuzzer); - FuzzParam(&p->c, fuzzer); - FuzzParam(&p->d, fuzzer); - } -}; - -template <class A, class B, class C, class D, class E> -struct FuzzTraits<Tuple5<A, B, C, D, E> > { - static void Fuzz(Tuple5<A, B, C, D, E>* p, IPC::Fuzzer* fuzzer) { - FuzzParam(&p->a, fuzzer); - FuzzParam(&p->b, fuzzer); - FuzzParam(&p->c, fuzzer); - FuzzParam(&p->d, fuzzer); - FuzzParam(&p->e, fuzzer); - } -}; - -// Specializations to fuzz containers. -template <class A> -struct FuzzTraits<std::vector<A> > { - static void Fuzz(std::vector<A>* p, IPC::Fuzzer* fuzzer) { - for (size_t i = 0; i < p->size(); ++i) { - FuzzParam(&p->at(i), fuzzer); - } - } -}; - -template <class A, class B> -struct FuzzTraits<std::map<A, B> > { - static void Fuzz(std::map<A, B>* p, IPC::Fuzzer* fuzzer) { - typename std::map<A, B>::iterator it; - for (it = p->begin(); it != p->end(); ++it) { - FuzzParam(&it->second, fuzzer); - } - } -}; - -template <class A, class B> -struct FuzzTraits<std::pair<A, B> > { - static void Fuzz(std::pair<A, B>* p, IPC::Fuzzer* fuzzer) { - FuzzParam(&p->second, fuzzer); - } -}; - -// Specializations to fuzz hand-coded tyoes -template <> -struct FuzzTraits<base::FileDescriptor> { - static void Fuzz(base::FileDescriptor* p, IPC::Fuzzer* fuzzer) { - FuzzParam(&p->fd, fuzzer); - } -}; - -template <> -struct FuzzTraits<GURL> { - static void Fuzz(GURL *p, IPC::Fuzzer* fuzzer) { - FuzzParam(&p->possibly_invalid_spec(), fuzzer); - } -}; - -template <> -struct FuzzTraits<gfx::Point> { - static void Fuzz(gfx::Point *p, IPC::Fuzzer* fuzzer) { - int x = p->x(); - int y = p->y(); - FuzzParam(&x, fuzzer); - FuzzParam(&y, fuzzer); - p->SetPoint(x, y); - } -}; - -template <> -struct FuzzTraits<gfx::Size> { - static void Fuzz(gfx::Size *p, IPC::Fuzzer* fuzzer) { - int w = p->width(); - int h = p->height(); - FuzzParam(&w, fuzzer); - FuzzParam(&h, fuzzer); - p->SetSize(w, h); - } -}; - -template <> -struct FuzzTraits<gfx::Rect> { - static void Fuzz(gfx::Rect *p, IPC::Fuzzer* fuzzer) { - gfx::Point origin = p->origin(); - gfx::Size size = p->size(); - FuzzParam(&origin, fuzzer); - FuzzParam(&size, fuzzer); - p->set_origin(origin); - p->set_size(size); - } -}; - -// Means for updating message id in pickles. -class PickleCracker : public Pickle { - public: - static void CopyMessageID(PickleCracker *dst, PickleCracker *src) { - memcpy(dst->mutable_payload(), src->payload(), sizeof(int)); - } -}; - -// Redefine macros to generate fuzzing from traits declarations. -// Null out all the macros that need nulling. -#include "ipc/ipc_message_null_macros.h" - -// STRUCT declarations cause corresponding STRUCT_TRAITS declarations to occur. -#undef IPC_STRUCT_BEGIN_WITH_PARENT -#undef IPC_STRUCT_MEMBER -#undef IPC_STRUCT_END -#define IPC_STRUCT_BEGIN_WITH_PARENT(struct_name, parent)\ - IPC_STRUCT_TRAITS_BEGIN(struct_name) -#define IPC_STRUCT_MEMBER(type, name, ...) IPC_STRUCT_TRAITS_MEMBER(name) -#define IPC_STRUCT_END() IPC_STRUCT_TRAITS_END() - -// Set up so next include will generate fuzz trait classes. -#undef IPC_STRUCT_TRAITS_BEGIN -#undef IPC_STRUCT_TRAITS_MEMBER -#undef IPC_STRUCT_TRAITS_PARENT -#undef IPC_STRUCT_TRAITS_END -#define IPC_STRUCT_TRAITS_BEGIN(struct_name) \ - template <> \ - struct FuzzTraits<struct_name> { \ - static void Fuzz(struct_name *p, IPC::Fuzzer* fuzzer) { \ - -#define IPC_STRUCT_TRAITS_MEMBER(name) \ - FuzzParam(&p->name, fuzzer); - -#define IPC_STRUCT_TRAITS_PARENT(type) \ - FuzzParam(static_cast<type*>(p), fuzzer); - -#define IPC_STRUCT_TRAITS_END() \ - } \ - }; - -#undef IPC_ENUM_TRAITS_VALIDATE -#define IPC_ENUM_TRAITS_VALIDATE(enum_name, validation_expression) \ - template <> \ - struct FuzzTraits<enum_name> { \ - static void Fuzz(enum_name* p, IPC::Fuzzer* fuzzer) { \ - FuzzParam(reinterpret_cast<int*>(p), fuzzer); \ - } \ - }; - -// Bring them into existence. -#include "chrome/common/all_messages.h" -#include "content/common/all_messages.h" - -// Redefine macros to generate fuzzing funtions -#include "ipc/ipc_message_null_macros.h" -#undef IPC_MESSAGE_DECL -#define IPC_MESSAGE_DECL(kind, type, name, in, out, ilist, olist) \ - IPC_##kind##_##type##_FUZZ(name, in, out, ilist, olist) - -#define IPC_EMPTY_CONTROL_FUZZ(name, in, out, ilist, olist) \ - IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ - return NULL; \ - } - -#define IPC_EMPTY_ROUTED_FUZZ(name, in, out, ilist, olist) \ - IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ - return NULL; \ - } - -#define IPC_ASYNC_CONTROL_FUZZ(name, in, out, ilist, olist) \ - IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ - name* real_msg = static_cast<name*>(msg); \ - IPC_TUPLE_IN_##in ilist p; \ - name::Read(real_msg, &p); \ - FuzzParam(&p, fuzzer); \ - return new name(IPC_MEMBERS_IN_##in(p)); \ - } - -#define IPC_ASYNC_ROUTED_FUZZ(name, in, out, ilist, olist) \ - IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ - name* real_msg = static_cast<name*>(msg); \ - IPC_TUPLE_IN_##in ilist p; \ - name::Read(real_msg, &p); \ - FuzzParam(&p, fuzzer); \ - return new name(msg->routing_id() \ - IPC_COMMA_##in \ - IPC_MEMBERS_IN_##in(p)); \ - } - -#define IPC_SYNC_CONTROL_FUZZ(name, in, out, ilist, olist) \ - IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ - name* real_msg = static_cast<name*>(msg); \ - IPC_TUPLE_IN_##in ilist p; \ - name::ReadSendParam(real_msg, &p); \ - FuzzParam(&p, fuzzer); \ - name* new_msg = new name(IPC_MEMBERS_IN_##in(p) \ - IPC_COMMA_AND_##out(IPC_COMMA_##in) \ - IPC_MEMBERS_OUT_##out()); \ - PickleCracker::CopyMessageID( \ - reinterpret_cast<PickleCracker *>(new_msg), \ - reinterpret_cast<PickleCracker *>(real_msg)); \ - return new_msg; \ - } - - -#define IPC_SYNC_ROUTED_FUZZ(name, in, out, ilist, olist) \ - IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ - name* real_msg = static_cast<name*>(msg); \ - IPC_TUPLE_IN_##in ilist p; \ - name::ReadSendParam(real_msg, &p); \ - FuzzParam(&p, fuzzer); \ - name* new_msg = new name(msg->routing_id() \ - IPC_COMMA_OR_##out(IPC_COMMA_##in) \ - IPC_MEMBERS_IN_##in(p) \ - IPC_COMMA_AND_##out(IPC_COMMA_##in) \ - IPC_MEMBERS_OUT_##out()); \ - PickleCracker::CopyMessageID( \ - reinterpret_cast<PickleCracker *>(new_msg), \ - reinterpret_cast<PickleCracker *>(real_msg)); \ - return new_msg; \ - } - -#define IPC_MEMBERS_IN_0(p) -#define IPC_MEMBERS_IN_1(p) p.a -#define IPC_MEMBERS_IN_2(p) p.a, p.b -#define IPC_MEMBERS_IN_3(p) p.a, p.b, p.c -#define IPC_MEMBERS_IN_4(p) p.a, p.b, p.c, p.d -#define IPC_MEMBERS_IN_5(p) p.a, p.b, p.c, p.d, p.e - -#define IPC_MEMBERS_OUT_0() -#define IPC_MEMBERS_OUT_1() NULL -#define IPC_MEMBERS_OUT_2() NULL, NULL -#define IPC_MEMBERS_OUT_3() NULL, NULL, NULL -#define IPC_MEMBERS_OUT_4() NULL, NULL, NULL, NULL -#define IPC_MEMBERS_OUT_5() NULL, NULL, NULL, NULL, NULL - -#include "chrome/common/all_messages.h" -#include "content/common/all_messages.h" - -typedef IPC::Message* (*FuzzFunction)(IPC::Message*, IPC::Fuzzer*); -typedef base::hash_map<uint32, FuzzFunction> FuzzFunctionMap; - -// Redefine macros to register fuzzing functions into map. -#include "ipc/ipc_message_null_macros.h" -#undef IPC_MESSAGE_DECL -#define IPC_MESSAGE_DECL(kind, type, name, in, out, ilist, olist) \ - (*map)[static_cast<uint32>(name::ID)] = fuzzer_for_##name; - -void PopulateFuzzFunctionMap(FuzzFunctionMap *map) { -#include "chrome/common/all_messages.h" -#include "content/common/all_messages.h" -} - -class ipcfuzz : public IPC::ChannelProxy::OutgoingMessageFilter { - public: - ipcfuzz() { - const char* env_var = getenv("CHROME_IPC_FUZZING_KIND"); - fuzzer_ = FuzzerFactory::NewFuzzer(env_var ? env_var : ""); - PopulateFuzzFunctionMap(&fuzz_function_map_); - } - - virtual IPC::Message* Rewrite(IPC::Message* message) OVERRIDE { - if (fuzzer_ && fuzzer_->FuzzThisMessage(message)) { - FuzzFunctionMap::iterator it = fuzz_function_map_.find(message->type()); - if (it != fuzz_function_map_.end()) { - IPC::Message* fuzzed_message = (*it->second)(message, fuzzer_); - if (fuzzed_message) { - delete message; - message = fuzzed_message; - } - } - } - return message; - } - - private: - IPC::Fuzzer* fuzzer_; - FuzzFunctionMap fuzz_function_map_; -}; - -ipcfuzz g_ipcfuzz; - -// Entry point avoiding mangled names. -extern "C" { - __attribute__((visibility("default"))) - IPC::ChannelProxy::OutgoingMessageFilter* GetFilter(void); -} - -IPC::ChannelProxy::OutgoingMessageFilter* GetFilter(void) { - return &g_ipcfuzz; -} diff --git a/content/public/renderer/render_thread.h b/content/public/renderer/render_thread.h index 87e0648..23ca0af 100644 --- a/content/public/renderer/render_thread.h +++ b/content/public/renderer/render_thread.h @@ -61,8 +61,6 @@ class CONTENT_EXPORT RenderThread : public IPC::Sender { // These map to IPC::ChannelProxy methods. virtual void AddFilter(IPC::ChannelProxy::MessageFilter* filter) = 0; virtual void RemoveFilter(IPC::ChannelProxy::MessageFilter* filter) = 0; - virtual void SetOutgoingMessageFilter( - IPC::ChannelProxy::OutgoingMessageFilter* filter) = 0; // Add/remove observers for the process. virtual void AddObserver(RenderProcessObserver* observer) = 0; diff --git a/content/public/test/mock_render_thread.cc b/content/public/test/mock_render_thread.cc index 78081c0..7ada255 100644 --- a/content/public/test/mock_render_thread.cc +++ b/content/public/test/mock_render_thread.cc @@ -123,10 +123,6 @@ void MockRenderThread::RemoveFilter(IPC::ChannelProxy::MessageFilter* filter) { NOTREACHED() << "filter to be removed not found"; } -void MockRenderThread::SetOutgoingMessageFilter( - IPC::ChannelProxy::OutgoingMessageFilter* filter) { -} - void MockRenderThread::AddObserver(RenderProcessObserver* observer) { observers_.AddObserver(observer); } diff --git a/content/public/test/mock_render_thread.h b/content/public/test/mock_render_thread.h index c0c7039..17b4fc5 100644 --- a/content/public/test/mock_render_thread.h +++ b/content/public/test/mock_render_thread.h @@ -50,8 +50,6 @@ class MockRenderThread : public RenderThread { virtual int GenerateRoutingID() OVERRIDE; virtual void AddFilter(IPC::ChannelProxy::MessageFilter* filter) OVERRIDE; virtual void RemoveFilter(IPC::ChannelProxy::MessageFilter* filter) OVERRIDE; - virtual void SetOutgoingMessageFilter( - IPC::ChannelProxy::OutgoingMessageFilter* filter) OVERRIDE; virtual void AddObserver(RenderProcessObserver* observer) OVERRIDE; virtual void RemoveObserver(RenderProcessObserver* observer) OVERRIDE; virtual void SetResourceDispatcherDelegate( diff --git a/content/renderer/render_thread_impl.cc b/content/renderer/render_thread_impl.cc index 1eb2c21..333dc01 100644 --- a/content/renderer/render_thread_impl.cc +++ b/content/renderer/render_thread_impl.cc @@ -590,10 +590,6 @@ void RenderThreadImpl::RemoveFilter(IPC::ChannelProxy::MessageFilter* filter) { channel()->RemoveFilter(filter); } -void RenderThreadImpl::SetOutgoingMessageFilter( - IPC::ChannelProxy::OutgoingMessageFilter* filter) { -} - void RenderThreadImpl::AddObserver(RenderProcessObserver* observer) { observers_.AddObserver(observer); } diff --git a/content/renderer/render_thread_impl.h b/content/renderer/render_thread_impl.h index aea1836..f8cec0d 100644 --- a/content/renderer/render_thread_impl.h +++ b/content/renderer/render_thread_impl.h @@ -134,8 +134,6 @@ class CONTENT_EXPORT RenderThreadImpl : public RenderThread, virtual int GenerateRoutingID() OVERRIDE; virtual void AddFilter(IPC::ChannelProxy::MessageFilter* filter) OVERRIDE; virtual void RemoveFilter(IPC::ChannelProxy::MessageFilter* filter) OVERRIDE; - virtual void SetOutgoingMessageFilter( - IPC::ChannelProxy::OutgoingMessageFilter* filter) OVERRIDE; virtual void AddObserver(RenderProcessObserver* observer) OVERRIDE; virtual void RemoveObserver(RenderProcessObserver* observer) OVERRIDE; virtual void SetResourceDispatcherDelegate( diff --git a/ipc/ipc_channel_proxy.cc b/ipc/ipc_channel_proxy.cc index acc068d..18ed304 100644 --- a/ipc/ipc_channel_proxy.cc +++ b/ipc/ipc_channel_proxy.cc @@ -288,14 +288,12 @@ ChannelProxy::ChannelProxy(const IPC::ChannelHandle& channel_handle, Listener* listener, base::SingleThreadTaskRunner* ipc_task_runner) : context_(new Context(listener, ipc_task_runner)), - outgoing_message_filter_(NULL), did_init_(false) { Init(channel_handle, mode, true); } ChannelProxy::ChannelProxy(Context* context) : context_(context), - outgoing_message_filter_(NULL), did_init_(false) { } @@ -358,8 +356,6 @@ bool ChannelProxy::Send(Message* message) { // TODO(alexeypa): add DCHECK(CalledOnValidThread()) here. Currently there are // tests that call Send() from a wrong thread. See http://crbug.com/163523. - if (outgoing_message_filter()) - message = outgoing_message_filter()->Rewrite(message); #ifdef IPC_MESSAGE_LOG_ENABLED Logging::GetInstance()->OnSendMessage(message, context_->channel_id()); diff --git a/ipc/ipc_channel_proxy.h b/ipc/ipc_channel_proxy.h index a0de88e..1f5ecf4 100644 --- a/ipc/ipc_channel_proxy.h +++ b/ipc/ipc_channel_proxy.h @@ -95,15 +95,6 @@ class IPC_EXPORT ChannelProxy : public Sender, public base::NonThreadSafe { friend class base::RefCountedThreadSafe<MessageFilter>; }; - // Interface for a filter to be imposed on outgoing messages which can - // re-write the message. Used mainly for testing. - class OutgoingMessageFilter { - public: - // Returns a re-written message, freeing the original, or simply the - // original unchanged if no rewrite indicated. - virtual Message *Rewrite(Message *message) = 0; - }; - // Initializes a channel proxy. The channel_handle and mode parameters are // passed directly to the underlying IPC::Channel. The listener is called on // the thread that creates the ChannelProxy. The filter's OnMessageReceived @@ -152,10 +143,6 @@ class IPC_EXPORT ChannelProxy : public Sender, public base::NonThreadSafe { void AddFilter(MessageFilter* filter); void RemoveFilter(MessageFilter* filter); - void set_outgoing_message_filter(OutgoingMessageFilter* filter) { - outgoing_message_filter_ = filter; - } - // Called to clear the pointer to the IPC task runner when it's going away. void ClearIPCTaskRunner(); @@ -256,10 +243,6 @@ class IPC_EXPORT ChannelProxy : public Sender, public base::NonThreadSafe { Context* context() { return context_.get(); } - OutgoingMessageFilter* outgoing_message_filter() { - return outgoing_message_filter_; - } - private: friend class SendCallbackHelper; @@ -268,8 +251,6 @@ class IPC_EXPORT ChannelProxy : public Sender, public base::NonThreadSafe { // that involves this data. scoped_refptr<Context> context_; - OutgoingMessageFilter* outgoing_message_filter_; - // Whether the channel has been initialized. bool did_init_; }; |