1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "ipc/attachment_broker_privileged_win.h"
#include <windows.h>
#include "base/process/process.h"
#include "ipc/attachment_broker_messages.h"
#include "ipc/brokerable_attachment.h"
#include "ipc/handle_attachment_win.h"
#include "ipc/ipc_channel.h"
namespace IPC {
AttachmentBrokerPrivilegedWin::AttachmentBrokerPrivilegedWin() {}
AttachmentBrokerPrivilegedWin::~AttachmentBrokerPrivilegedWin() {}
bool AttachmentBrokerPrivilegedWin::SendAttachmentToProcess(
const scoped_refptr<IPC::BrokerableAttachment>& attachment,
base::ProcessId destination_process) {
switch (attachment->GetBrokerableType()) {
case BrokerableAttachment::WIN_HANDLE: {
const internal::HandleAttachmentWin* handle_attachment =
static_cast<const internal::HandleAttachmentWin*>(attachment.get());
HandleWireFormat wire_format =
handle_attachment->GetWireFormat(destination_process);
HandleWireFormat new_wire_format =
DuplicateWinHandle(wire_format, base::Process::Current().Pid());
if (new_wire_format.handle == 0)
return false;
RouteDuplicatedHandle(new_wire_format);
return true;
}
case BrokerableAttachment::MACH_PORT:
case BrokerableAttachment::PLACEHOLDER:
NOTREACHED();
return false;
}
return false;
}
bool AttachmentBrokerPrivilegedWin::OnMessageReceived(const Message& msg) {
bool handled = true;
switch (msg.type()) {
IPC_MESSAGE_HANDLER_GENERIC(AttachmentBrokerMsg_DuplicateWinHandle,
OnDuplicateWinHandle(msg))
IPC_MESSAGE_UNHANDLED(handled = false)
}
return handled;
}
void AttachmentBrokerPrivilegedWin::OnDuplicateWinHandle(
const IPC::Message& message) {
AttachmentBrokerMsg_DuplicateWinHandle::Param param;
if (!AttachmentBrokerMsg_DuplicateWinHandle::Read(&message, ¶m))
return;
IPC::internal::HandleAttachmentWin::WireFormat wire_format =
base::get<0>(param);
if (wire_format.destination_process == base::kNullProcessId) {
LogError(NO_DESTINATION);
return;
}
HandleWireFormat new_wire_format =
DuplicateWinHandle(wire_format, message.get_sender_pid());
RouteDuplicatedHandle(new_wire_format);
}
void AttachmentBrokerPrivilegedWin::RouteDuplicatedHandle(
const HandleWireFormat& wire_format) {
// This process is the destination.
if (wire_format.destination_process == base::Process::Current().Pid()) {
scoped_refptr<BrokerableAttachment> attachment(
new internal::HandleAttachmentWin(wire_format));
HandleReceivedAttachment(attachment);
return;
}
// Another process is the destination.
base::ProcessId dest = wire_format.destination_process;
Sender* sender = GetSenderWithProcessId(dest);
if (!sender) {
// Assuming that this message was not sent from a malicious process, the
// channel endpoint that would have received this message will block
// forever.
LOG(ERROR) << "Failed to deliver brokerable attachment to process with id: "
<< dest;
LogError(DESTINATION_NOT_FOUND);
return;
}
LogError(DESTINATION_FOUND);
sender->Send(new AttachmentBrokerMsg_WinHandleHasBeenDuplicated(wire_format));
}
AttachmentBrokerPrivilegedWin::HandleWireFormat
AttachmentBrokerPrivilegedWin::DuplicateWinHandle(
const HandleWireFormat& wire_format,
base::ProcessId source_pid) {
base::Process source_process =
base::Process::OpenWithExtraPrivileges(source_pid);
base::Process dest_process =
base::Process::OpenWithExtraPrivileges(wire_format.destination_process);
int new_wire_format_handle = 0;
if (source_process.Handle() && dest_process.Handle()) {
DWORD desired_access = 0;
DWORD options = 0;
switch (wire_format.permissions) {
case HandleWin::INVALID:
LOG(ERROR) << "Received invalid permissions for duplication.";
return CopyWireFormat(wire_format, 0);
case HandleWin::DUPLICATE:
options = DUPLICATE_SAME_ACCESS;
break;
case HandleWin::FILE_READ_WRITE:
desired_access = FILE_GENERIC_READ | FILE_GENERIC_WRITE;
break;
}
HANDLE new_handle;
HANDLE original_handle = LongToHandle(wire_format.handle);
DWORD result = ::DuplicateHandle(source_process.Handle(), original_handle,
dest_process.Handle(), &new_handle,
desired_access, FALSE, options);
new_wire_format_handle = (result != 0) ? HandleToLong(new_handle) : 0;
}
return CopyWireFormat(wire_format, new_wire_format_handle);
}
AttachmentBrokerPrivilegedWin::HandleWireFormat
AttachmentBrokerPrivilegedWin::CopyWireFormat(
const HandleWireFormat& wire_format,
int handle) {
return HandleWireFormat(handle, wire_format.destination_process,
wire_format.permissions, wire_format.attachment_id);
}
} // namespace IPC
|