1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/process/launch.h"
6
7 #include <dirent.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <sched.h>
11 #include <setjmp.h>
12 #include <signal.h>
13 #include <stddef.h>
14 #include <stdint.h>
15 #include <stdlib.h>
16 #include <sys/resource.h>
17 #include <sys/syscall.h>
18 #include <sys/time.h>
19 #include <sys/types.h>
20 #include <sys/wait.h>
21 #include <unistd.h>
22
23 #include <iterator>
24 #include <limits>
25 #include <set>
26
27 #include "base/command_line.h"
28 #include "base/compiler_specific.h"
29 #include "base/debug/debugger.h"
30 #include "base/debug/stack_trace.h"
31 #include "base/files/dir_reader_posix.h"
32 #include "base/files/file_util.h"
33 #include "base/files/scoped_file.h"
34 #include "base/logging.h"
35 #include "base/memory/scoped_ptr.h"
36 #include "base/posix/eintr_wrapper.h"
37 #include "base/process/process.h"
38 #include "base/process/process_metrics.h"
39 #include "base/strings/stringprintf.h"
40 #include "base/synchronization/waitable_event.h"
41 #include "base/threading/platform_thread.h"
42 #include "base/threading/thread_restrictions.h"
43 #include "build/build_config.h"
44 #include "third_party/valgrind/valgrind.h"
45
46 #if defined(OS_LINUX)
47 #include <sys/prctl.h>
48 #endif
49
50 #if defined(OS_CHROMEOS)
51 #include <sys/ioctl.h>
52 #endif
53
54 #if defined(OS_FREEBSD)
55 #include <sys/event.h>
56 #include <sys/ucontext.h>
57 #endif
58
59 #if defined(OS_MACOSX)
60 #include <crt_externs.h>
61 #include <sys/event.h>
62 #else
63 extern char** environ;
64 #endif
65
66 namespace base {
67
68 #if !defined(OS_NACL_NONSFI)
69
70 namespace {
71
72 // Get the process's "environment" (i.e. the thing that setenv/getenv
73 // work with).
GetEnvironment()74 char** GetEnvironment() {
75 #if defined(OS_MACOSX)
76 return *_NSGetEnviron();
77 #else
78 return environ;
79 #endif
80 }
81
82 // Set the process's "environment" (i.e. the thing that setenv/getenv
83 // work with).
SetEnvironment(char ** env)84 void SetEnvironment(char** env) {
85 #if defined(OS_MACOSX)
86 *_NSGetEnviron() = env;
87 #else
88 environ = env;
89 #endif
90 }
91
92 // Set the calling thread's signal mask to new_sigmask and return
93 // the previous signal mask.
SetSignalMask(const sigset_t & new_sigmask)94 sigset_t SetSignalMask(const sigset_t& new_sigmask) {
95 sigset_t old_sigmask;
96 #if defined(OS_ANDROID)
97 // POSIX says pthread_sigmask() must be used in multi-threaded processes,
98 // but Android's pthread_sigmask() was broken until 4.1:
99 // https://code.google.com/p/android/issues/detail?id=15337
100 // http://stackoverflow.com/questions/13777109/pthread-sigmask-on-android-not-working
101 RAW_CHECK(sigprocmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
102 #else
103 RAW_CHECK(pthread_sigmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
104 #endif
105 return old_sigmask;
106 }
107
108 #if !defined(OS_LINUX) || \
109 (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
ResetChildSignalHandlersToDefaults()110 void ResetChildSignalHandlersToDefaults() {
111 // The previous signal handlers are likely to be meaningless in the child's
112 // context so we reset them to the defaults for now. http://crbug.com/44953
113 // These signal handlers are set up at least in browser_main_posix.cc:
114 // BrowserMainPartsPosix::PreEarlyInitialization and stack_trace_posix.cc:
115 // EnableInProcessStackDumping.
116 signal(SIGHUP, SIG_DFL);
117 signal(SIGINT, SIG_DFL);
118 signal(SIGILL, SIG_DFL);
119 signal(SIGABRT, SIG_DFL);
120 signal(SIGFPE, SIG_DFL);
121 signal(SIGBUS, SIG_DFL);
122 signal(SIGSEGV, SIG_DFL);
123 signal(SIGSYS, SIG_DFL);
124 signal(SIGTERM, SIG_DFL);
125 }
126
127 #else
128
129 // TODO(jln): remove the Linux special case once kernels are fixed.
130
131 // Internally the kernel makes sigset_t an array of long large enough to have
132 // one bit per signal.
133 typedef uint64_t kernel_sigset_t;
134
135 // This is what struct sigaction looks like to the kernel at least on X86 and
136 // ARM. MIPS, for instance, is very different.
137 struct kernel_sigaction {
138 void* k_sa_handler; // For this usage it only needs to be a generic pointer.
139 unsigned long k_sa_flags;
140 void* k_sa_restorer; // For this usage it only needs to be a generic pointer.
141 kernel_sigset_t k_sa_mask;
142 };
143
144 // glibc's sigaction() will prevent access to sa_restorer, so we need to roll
145 // our own.
sys_rt_sigaction(int sig,const struct kernel_sigaction * act,struct kernel_sigaction * oact)146 int sys_rt_sigaction(int sig, const struct kernel_sigaction* act,
147 struct kernel_sigaction* oact) {
148 return syscall(SYS_rt_sigaction, sig, act, oact, sizeof(kernel_sigset_t));
149 }
150
151 // This function is intended to be used in between fork() and execve() and will
152 // reset all signal handlers to the default.
153 // The motivation for going through all of them is that sa_restorer can leak
154 // from parents and help defeat ASLR on buggy kernels. We reset it to NULL.
155 // See crbug.com/177956.
ResetChildSignalHandlersToDefaults(void)156 void ResetChildSignalHandlersToDefaults(void) {
157 for (int signum = 1; ; ++signum) {
158 struct kernel_sigaction act;
159 memset(&act, 0, sizeof(act));
160 int sigaction_get_ret = sys_rt_sigaction(signum, NULL, &act);
161 if (sigaction_get_ret && errno == EINVAL) {
162 #if !defined(NDEBUG)
163 // Linux supports 32 real-time signals from 33 to 64.
164 // If the number of signals in the Linux kernel changes, someone should
165 // look at this code.
166 const int kNumberOfSignals = 64;
167 RAW_CHECK(signum == kNumberOfSignals + 1);
168 #endif // !defined(NDEBUG)
169 break;
170 }
171 // All other failures are fatal.
172 if (sigaction_get_ret) {
173 RAW_LOG(FATAL, "sigaction (get) failed.");
174 }
175
176 // The kernel won't allow to re-set SIGKILL or SIGSTOP.
177 if (signum != SIGSTOP && signum != SIGKILL) {
178 act.k_sa_handler = reinterpret_cast<void*>(SIG_DFL);
179 act.k_sa_restorer = NULL;
180 if (sys_rt_sigaction(signum, &act, NULL)) {
181 RAW_LOG(FATAL, "sigaction (set) failed.");
182 }
183 }
184 #if !defined(NDEBUG)
185 // Now ask the kernel again and check that no restorer will leak.
186 if (sys_rt_sigaction(signum, NULL, &act) || act.k_sa_restorer) {
187 RAW_LOG(FATAL, "Cound not fix sa_restorer.");
188 }
189 #endif // !defined(NDEBUG)
190 }
191 }
192 #endif // !defined(OS_LINUX) ||
193 // (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
194 } // anonymous namespace
195
196 // Functor for |ScopedDIR| (below).
197 struct ScopedDIRClose {
operator ()base::ScopedDIRClose198 inline void operator()(DIR* x) const {
199 if (x)
200 closedir(x);
201 }
202 };
203
204 // Automatically closes |DIR*|s.
205 typedef scoped_ptr<DIR, ScopedDIRClose> ScopedDIR;
206
207 #if defined(OS_LINUX)
208 static const char kFDDir[] = "/proc/self/fd";
209 #elif defined(OS_MACOSX)
210 static const char kFDDir[] = "/dev/fd";
211 #elif defined(OS_SOLARIS)
212 static const char kFDDir[] = "/dev/fd";
213 #elif defined(OS_FREEBSD)
214 static const char kFDDir[] = "/dev/fd";
215 #elif defined(OS_OPENBSD)
216 static const char kFDDir[] = "/dev/fd";
217 #elif defined(OS_ANDROID)
218 static const char kFDDir[] = "/proc/self/fd";
219 #endif
220
CloseSuperfluousFds(const base::InjectiveMultimap & saved_mapping)221 void CloseSuperfluousFds(const base::InjectiveMultimap& saved_mapping) {
222 // DANGER: no calls to malloc or locks are allowed from now on:
223 // http://crbug.com/36678
224
225 // Get the maximum number of FDs possible.
226 size_t max_fds = GetMaxFds();
227
228 DirReaderPosix fd_dir(kFDDir);
229 if (!fd_dir.IsValid()) {
230 // Fallback case: Try every possible fd.
231 for (size_t i = 0; i < max_fds; ++i) {
232 const int fd = static_cast<int>(i);
233 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
234 continue;
235 // Cannot use STL iterators here, since debug iterators use locks.
236 size_t j;
237 for (j = 0; j < saved_mapping.size(); j++) {
238 if (fd == saved_mapping[j].dest)
239 break;
240 }
241 if (j < saved_mapping.size())
242 continue;
243
244 // Since we're just trying to close anything we can find,
245 // ignore any error return values of close().
246 close(fd);
247 }
248 return;
249 }
250
251 const int dir_fd = fd_dir.fd();
252
253 for ( ; fd_dir.Next(); ) {
254 // Skip . and .. entries.
255 if (fd_dir.name()[0] == '.')
256 continue;
257
258 char *endptr;
259 errno = 0;
260 const long int fd = strtol(fd_dir.name(), &endptr, 10);
261 if (fd_dir.name()[0] == 0 || *endptr || fd < 0 || errno)
262 continue;
263 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
264 continue;
265 // Cannot use STL iterators here, since debug iterators use locks.
266 size_t i;
267 for (i = 0; i < saved_mapping.size(); i++) {
268 if (fd == saved_mapping[i].dest)
269 break;
270 }
271 if (i < saved_mapping.size())
272 continue;
273 if (fd == dir_fd)
274 continue;
275
276 // When running under Valgrind, Valgrind opens several FDs for its
277 // own use and will complain if we try to close them. All of
278 // these FDs are >= |max_fds|, so we can check against that here
279 // before closing. See https://bugs.kde.org/show_bug.cgi?id=191758
280 if (fd < static_cast<int>(max_fds)) {
281 int ret = IGNORE_EINTR(close(fd));
282 DPCHECK(ret == 0);
283 }
284 }
285 }
286
LaunchProcess(const CommandLine & cmdline,const LaunchOptions & options)287 Process LaunchProcess(const CommandLine& cmdline,
288 const LaunchOptions& options) {
289 return LaunchProcess(cmdline.argv(), options);
290 }
291
LaunchProcess(const std::vector<std::string> & argv,const LaunchOptions & options)292 Process LaunchProcess(const std::vector<std::string>& argv,
293 const LaunchOptions& options) {
294 size_t fd_shuffle_size = 0;
295 if (options.fds_to_remap) {
296 fd_shuffle_size = options.fds_to_remap->size();
297 }
298
299 InjectiveMultimap fd_shuffle1;
300 InjectiveMultimap fd_shuffle2;
301 fd_shuffle1.reserve(fd_shuffle_size);
302 fd_shuffle2.reserve(fd_shuffle_size);
303
304 scoped_ptr<char* []> argv_cstr(new char* [argv.size() + 1]);
305 for (size_t i = 0; i < argv.size(); i++) {
306 argv_cstr[i] = const_cast<char*>(argv[i].c_str());
307 }
308 argv_cstr[argv.size()] = NULL;
309
310 scoped_ptr<char*[]> new_environ;
311 char* const empty_environ = NULL;
312 char* const* old_environ = GetEnvironment();
313 if (options.clear_environ)
314 old_environ = &empty_environ;
315 if (!options.environ.empty())
316 new_environ = AlterEnvironment(old_environ, options.environ);
317
318 sigset_t full_sigset;
319 sigfillset(&full_sigset);
320 const sigset_t orig_sigmask = SetSignalMask(full_sigset);
321
322 const char* current_directory = nullptr;
323 if (!options.current_directory.empty()) {
324 current_directory = options.current_directory.value().c_str();
325 }
326
327 pid_t pid;
328 #if defined(OS_LINUX)
329 if (options.clone_flags) {
330 // Signal handling in this function assumes the creation of a new
331 // process, so we check that a thread is not being created by mistake
332 // and that signal handling follows the process-creation rules.
333 RAW_CHECK(
334 !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
335
336 // We specify a null ptid and ctid.
337 RAW_CHECK(
338 !(options.clone_flags &
339 (CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | CLONE_PARENT_SETTID)));
340
341 // Since we use waitpid, we do not support custom termination signals in the
342 // clone flags.
343 RAW_CHECK((options.clone_flags & 0xff) == 0);
344
345 pid = ForkWithFlags(options.clone_flags | SIGCHLD, nullptr, nullptr);
346 } else
347 #endif
348 {
349 pid = fork();
350 }
351
352 // Always restore the original signal mask in the parent.
353 if (pid != 0) {
354 SetSignalMask(orig_sigmask);
355 }
356
357 if (pid < 0) {
358 DPLOG(ERROR) << "fork";
359 return Process();
360 } else if (pid == 0) {
361 // Child process
362
363 // DANGER: no calls to malloc or locks are allowed from now on:
364 // http://crbug.com/36678
365
366 // DANGER: fork() rule: in the child, if you don't end up doing exec*(),
367 // you call _exit() instead of exit(). This is because _exit() does not
368 // call any previously-registered (in the parent) exit handlers, which
369 // might do things like block waiting for threads that don't even exist
370 // in the child.
371
372 // If a child process uses the readline library, the process block forever.
373 // In BSD like OSes including OS X it is safe to assign /dev/null as stdin.
374 // See http://crbug.com/56596.
375 base::ScopedFD null_fd(HANDLE_EINTR(open("/dev/null", O_RDONLY)));
376 if (!null_fd.is_valid()) {
377 RAW_LOG(ERROR, "Failed to open /dev/null");
378 _exit(127);
379 }
380
381 int new_fd = HANDLE_EINTR(dup2(null_fd.get(), STDIN_FILENO));
382 if (new_fd != STDIN_FILENO) {
383 RAW_LOG(ERROR, "Failed to dup /dev/null for stdin");
384 _exit(127);
385 }
386
387 if (options.new_process_group) {
388 // Instead of inheriting the process group ID of the parent, the child
389 // starts off a new process group with pgid equal to its process ID.
390 if (setpgid(0, 0) < 0) {
391 RAW_LOG(ERROR, "setpgid failed");
392 _exit(127);
393 }
394 }
395
396 if (options.maximize_rlimits) {
397 // Some resource limits need to be maximal in this child.
398 for (size_t i = 0; i < options.maximize_rlimits->size(); ++i) {
399 const int resource = (*options.maximize_rlimits)[i];
400 struct rlimit limit;
401 if (getrlimit(resource, &limit) < 0) {
402 RAW_LOG(WARNING, "getrlimit failed");
403 } else if (limit.rlim_cur < limit.rlim_max) {
404 limit.rlim_cur = limit.rlim_max;
405 if (setrlimit(resource, &limit) < 0) {
406 RAW_LOG(WARNING, "setrlimit failed");
407 }
408 }
409 }
410 }
411
412 #if defined(OS_MACOSX)
413 RestoreDefaultExceptionHandler();
414 #endif // defined(OS_MACOSX)
415
416 ResetChildSignalHandlersToDefaults();
417 SetSignalMask(orig_sigmask);
418
419 #if 0
420 // When debugging it can be helpful to check that we really aren't making
421 // any hidden calls to malloc.
422 void *malloc_thunk =
423 reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095);
424 mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC);
425 memset(reinterpret_cast<void*>(malloc), 0xff, 8);
426 #endif // 0
427
428 #if defined(OS_CHROMEOS)
429 if (options.ctrl_terminal_fd >= 0) {
430 // Set process' controlling terminal.
431 if (HANDLE_EINTR(setsid()) != -1) {
432 if (HANDLE_EINTR(
433 ioctl(options.ctrl_terminal_fd, TIOCSCTTY, NULL)) == -1) {
434 RAW_LOG(WARNING, "ioctl(TIOCSCTTY), ctrl terminal not set");
435 }
436 } else {
437 RAW_LOG(WARNING, "setsid failed, ctrl terminal not set");
438 }
439 }
440 #endif // defined(OS_CHROMEOS)
441
442 if (options.fds_to_remap) {
443 // Cannot use STL iterators here, since debug iterators use locks.
444 for (size_t i = 0; i < options.fds_to_remap->size(); ++i) {
445 const FileHandleMappingVector::value_type& value =
446 (*options.fds_to_remap)[i];
447 fd_shuffle1.push_back(InjectionArc(value.first, value.second, false));
448 fd_shuffle2.push_back(InjectionArc(value.first, value.second, false));
449 }
450 }
451
452 if (!options.environ.empty() || options.clear_environ)
453 SetEnvironment(new_environ.get());
454
455 // fd_shuffle1 is mutated by this call because it cannot malloc.
456 if (!ShuffleFileDescriptors(&fd_shuffle1))
457 _exit(127);
458
459 CloseSuperfluousFds(fd_shuffle2);
460
461 // Set NO_NEW_PRIVS by default. Since NO_NEW_PRIVS only exists in kernel
462 // 3.5+, do not check the return value of prctl here.
463 #if defined(OS_LINUX)
464 #ifndef PR_SET_NO_NEW_PRIVS
465 #define PR_SET_NO_NEW_PRIVS 38
466 #endif
467 if (!options.allow_new_privs) {
468 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) && errno != EINVAL) {
469 // Only log if the error is not EINVAL (i.e. not supported).
470 RAW_LOG(FATAL, "prctl(PR_SET_NO_NEW_PRIVS) failed");
471 }
472 }
473
474 if (options.kill_on_parent_death) {
475 if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) {
476 RAW_LOG(ERROR, "prctl(PR_SET_PDEATHSIG) failed");
477 _exit(127);
478 }
479 }
480 #endif
481
482 if (current_directory != nullptr) {
483 RAW_CHECK(chdir(current_directory) == 0);
484 }
485
486 if (options.pre_exec_delegate != nullptr) {
487 options.pre_exec_delegate->RunAsyncSafe();
488 }
489
490 execvp(argv_cstr[0], argv_cstr.get());
491
492 RAW_LOG(ERROR, "LaunchProcess: failed to execvp:");
493 RAW_LOG(ERROR, argv_cstr[0]);
494 _exit(127);
495 } else {
496 // Parent process
497 if (options.wait) {
498 // While this isn't strictly disk IO, waiting for another process to
499 // finish is the sort of thing ThreadRestrictions is trying to prevent.
500 base::ThreadRestrictions::AssertIOAllowed();
501 pid_t ret = HANDLE_EINTR(waitpid(pid, 0, 0));
502 DPCHECK(ret > 0);
503 }
504 }
505
506 return Process(pid);
507 }
508
RaiseProcessToHighPriority()509 void RaiseProcessToHighPriority() {
510 // On POSIX, we don't actually do anything here. We could try to nice() or
511 // setpriority() or sched_getscheduler, but these all require extra rights.
512 }
513
514 // Return value used by GetAppOutputInternal to encapsulate the various exit
515 // scenarios from the function.
516 enum GetAppOutputInternalResult {
517 EXECUTE_FAILURE,
518 EXECUTE_SUCCESS,
519 GOT_MAX_OUTPUT,
520 };
521
522 // Executes the application specified by |argv| and wait for it to exit. Stores
523 // the output (stdout) in |output|. If |do_search_path| is set, it searches the
524 // path for the application; in that case, |envp| must be null, and it will use
525 // the current environment. If |do_search_path| is false, |argv[0]| should fully
526 // specify the path of the application, and |envp| will be used as the
527 // environment. If |include_stderr| is true, includes stderr otherwise redirects
528 // it to /dev/null.
529 // If we successfully start the application and get all requested output, we
530 // return GOT_MAX_OUTPUT, or if there is a problem starting or exiting
531 // the application we return RUN_FAILURE. Otherwise we return EXECUTE_SUCCESS.
532 // The GOT_MAX_OUTPUT return value exists so a caller that asks for limited
533 // output can treat this as a success, despite having an exit code of SIG_PIPE
534 // due to us closing the output pipe.
535 // In the case of EXECUTE_SUCCESS, the application exit code will be returned
536 // in |*exit_code|, which should be checked to determine if the application
537 // ran successfully.
GetAppOutputInternal(const std::vector<std::string> & argv,char * const envp[],bool include_stderr,std::string * output,size_t max_output,bool do_search_path,int * exit_code)538 static GetAppOutputInternalResult GetAppOutputInternal(
539 const std::vector<std::string>& argv,
540 char* const envp[],
541 bool include_stderr,
542 std::string* output,
543 size_t max_output,
544 bool do_search_path,
545 int* exit_code) {
546 // Doing a blocking wait for another command to finish counts as IO.
547 base::ThreadRestrictions::AssertIOAllowed();
548 // exit_code must be supplied so calling function can determine success.
549 DCHECK(exit_code);
550 *exit_code = EXIT_FAILURE;
551
552 int pipe_fd[2];
553 pid_t pid;
554 InjectiveMultimap fd_shuffle1, fd_shuffle2;
555 scoped_ptr<char*[]> argv_cstr(new char*[argv.size() + 1]);
556
557 fd_shuffle1.reserve(3);
558 fd_shuffle2.reserve(3);
559
560 // Either |do_search_path| should be false or |envp| should be null, but not
561 // both.
562 DCHECK(!do_search_path ^ !envp);
563
564 if (pipe(pipe_fd) < 0)
565 return EXECUTE_FAILURE;
566
567 switch (pid = fork()) {
568 case -1: // error
569 close(pipe_fd[0]);
570 close(pipe_fd[1]);
571 return EXECUTE_FAILURE;
572 case 0: // child
573 {
574 // DANGER: no calls to malloc or locks are allowed from now on:
575 // http://crbug.com/36678
576
577 #if defined(OS_MACOSX)
578 RestoreDefaultExceptionHandler();
579 #endif
580
581 // Obscure fork() rule: in the child, if you don't end up doing exec*(),
582 // you call _exit() instead of exit(). This is because _exit() does not
583 // call any previously-registered (in the parent) exit handlers, which
584 // might do things like block waiting for threads that don't even exist
585 // in the child.
586 int dev_null = open("/dev/null", O_WRONLY);
587 if (dev_null < 0)
588 _exit(127);
589
590 fd_shuffle1.push_back(InjectionArc(pipe_fd[1], STDOUT_FILENO, true));
591 fd_shuffle1.push_back(InjectionArc(
592 include_stderr ? pipe_fd[1] : dev_null,
593 STDERR_FILENO, true));
594 fd_shuffle1.push_back(InjectionArc(dev_null, STDIN_FILENO, true));
595 // Adding another element here? Remeber to increase the argument to
596 // reserve(), above.
597
598 for (size_t i = 0; i < fd_shuffle1.size(); ++i)
599 fd_shuffle2.push_back(fd_shuffle1[i]);
600
601 if (!ShuffleFileDescriptors(&fd_shuffle1))
602 _exit(127);
603
604 CloseSuperfluousFds(fd_shuffle2);
605
606 for (size_t i = 0; i < argv.size(); i++)
607 argv_cstr[i] = const_cast<char*>(argv[i].c_str());
608 argv_cstr[argv.size()] = NULL;
609 if (do_search_path)
610 execvp(argv_cstr[0], argv_cstr.get());
611 else
612 execve(argv_cstr[0], argv_cstr.get(), envp);
613 _exit(127);
614 }
615 default: // parent
616 {
617 // Close our writing end of pipe now. Otherwise later read would not
618 // be able to detect end of child's output (in theory we could still
619 // write to the pipe).
620 close(pipe_fd[1]);
621
622 output->clear();
623 char buffer[256];
624 size_t output_buf_left = max_output;
625 ssize_t bytes_read = 1; // A lie to properly handle |max_output == 0|
626 // case in the logic below.
627
628 while (output_buf_left > 0) {
629 bytes_read = HANDLE_EINTR(read(pipe_fd[0], buffer,
630 std::min(output_buf_left, sizeof(buffer))));
631 if (bytes_read <= 0)
632 break;
633 output->append(buffer, bytes_read);
634 output_buf_left -= static_cast<size_t>(bytes_read);
635 }
636 close(pipe_fd[0]);
637
638 // Always wait for exit code (even if we know we'll declare
639 // GOT_MAX_OUTPUT).
640 Process process(pid);
641 bool success = process.WaitForExit(exit_code);
642
643 // If we stopped because we read as much as we wanted, we return
644 // GOT_MAX_OUTPUT (because the child may exit due to |SIGPIPE|).
645 if (!output_buf_left && bytes_read > 0)
646 return GOT_MAX_OUTPUT;
647 else if (success)
648 return EXECUTE_SUCCESS;
649 return EXECUTE_FAILURE;
650 }
651 }
652 }
653
GetAppOutput(const CommandLine & cl,std::string * output)654 bool GetAppOutput(const CommandLine& cl, std::string* output) {
655 return GetAppOutput(cl.argv(), output);
656 }
657
GetAppOutput(const std::vector<std::string> & argv,std::string * output)658 bool GetAppOutput(const std::vector<std::string>& argv, std::string* output) {
659 // Run |execve()| with the current environment and store "unlimited" data.
660 int exit_code;
661 GetAppOutputInternalResult result = GetAppOutputInternal(
662 argv, NULL, false, output, std::numeric_limits<std::size_t>::max(), true,
663 &exit_code);
664 return result == EXECUTE_SUCCESS && exit_code == EXIT_SUCCESS;
665 }
666
GetAppOutputAndError(const CommandLine & cl,std::string * output)667 bool GetAppOutputAndError(const CommandLine& cl, std::string* output) {
668 // Run |execve()| with the current environment and store "unlimited" data.
669 int exit_code;
670 GetAppOutputInternalResult result = GetAppOutputInternal(
671 cl.argv(), NULL, true, output, std::numeric_limits<std::size_t>::max(),
672 true, &exit_code);
673 return result == EXECUTE_SUCCESS && exit_code == EXIT_SUCCESS;
674 }
675
676 // TODO(viettrungluu): Conceivably, we should have a timeout as well, so we
677 // don't hang if what we're calling hangs.
GetAppOutputRestricted(const CommandLine & cl,std::string * output,size_t max_output)678 bool GetAppOutputRestricted(const CommandLine& cl,
679 std::string* output, size_t max_output) {
680 // Run |execve()| with the empty environment.
681 char* const empty_environ = NULL;
682 int exit_code;
683 GetAppOutputInternalResult result = GetAppOutputInternal(
684 cl.argv(), &empty_environ, false, output, max_output, false, &exit_code);
685 return result == GOT_MAX_OUTPUT || (result == EXECUTE_SUCCESS &&
686 exit_code == EXIT_SUCCESS);
687 }
688
GetAppOutputWithExitCode(const CommandLine & cl,std::string * output,int * exit_code)689 bool GetAppOutputWithExitCode(const CommandLine& cl,
690 std::string* output,
691 int* exit_code) {
692 // Run |execve()| with the current environment and store "unlimited" data.
693 GetAppOutputInternalResult result = GetAppOutputInternal(
694 cl.argv(), NULL, false, output, std::numeric_limits<std::size_t>::max(),
695 true, exit_code);
696 return result == EXECUTE_SUCCESS;
697 }
698
699 #endif // !defined(OS_NACL_NONSFI)
700
701 #if defined(OS_LINUX) || defined(OS_NACL_NONSFI)
702 namespace {
703
IsRunningOnValgrind()704 bool IsRunningOnValgrind() {
705 return RUNNING_ON_VALGRIND;
706 }
707
708 // This function runs on the stack specified on the clone call. It uses longjmp
709 // to switch back to the original stack so the child can return from sys_clone.
CloneHelper(void * arg)710 int CloneHelper(void* arg) {
711 jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg);
712 longjmp(*env_ptr, 1);
713
714 // Should not be reached.
715 RAW_CHECK(false);
716 return 1;
717 }
718
719 // This function is noinline to ensure that stack_buf is below the stack pointer
720 // that is saved when setjmp is called below. This is needed because when
721 // compiled with FORTIFY_SOURCE, glibc's longjmp checks that the stack is moved
722 // upwards. See crbug.com/442912 for more details.
723 #if defined(ADDRESS_SANITIZER)
724 // Disable AddressSanitizer instrumentation for this function to make sure
725 // |stack_buf| is allocated on thread stack instead of ASan's fake stack.
726 // Under ASan longjmp() will attempt to clean up the area between the old and
727 // new stack pointers and print a warning that may confuse the user.
728 __attribute__((no_sanitize_address))
729 #endif
CloneAndLongjmpInChild(unsigned long flags,pid_t * ptid,pid_t * ctid,jmp_buf * env)730 NOINLINE pid_t CloneAndLongjmpInChild(unsigned long flags,
731 pid_t* ptid,
732 pid_t* ctid,
733 jmp_buf* env) {
734 // We use the libc clone wrapper instead of making the syscall
735 // directly because making the syscall may fail to update the libc's
736 // internal pid cache. The libc interface unfortunately requires
737 // specifying a new stack, so we use setjmp/longjmp to emulate
738 // fork-like behavior.
739 char stack_buf[PTHREAD_STACK_MIN];
740 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
741 defined(ARCH_CPU_MIPS64_FAMILY) || defined(ARCH_CPU_MIPS_FAMILY)
742 // The stack grows downward.
743 void* stack = stack_buf + sizeof(stack_buf);
744 #else
745 #error "Unsupported architecture"
746 #endif
747 return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid);
748 }
749
750 } // anonymous namespace
751
ForkWithFlags(unsigned long flags,pid_t * ptid,pid_t * ctid)752 pid_t ForkWithFlags(unsigned long flags, pid_t* ptid, pid_t* ctid) {
753 const bool clone_tls_used = flags & CLONE_SETTLS;
754 const bool invalid_ctid =
755 (flags & (CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID)) && !ctid;
756 const bool invalid_ptid = (flags & CLONE_PARENT_SETTID) && !ptid;
757
758 // We do not support CLONE_VM.
759 const bool clone_vm_used = flags & CLONE_VM;
760
761 if (clone_tls_used || invalid_ctid || invalid_ptid || clone_vm_used) {
762 RAW_LOG(FATAL, "Invalid usage of ForkWithFlags");
763 }
764
765 // Valgrind's clone implementation does not support specifiying a child_stack
766 // without CLONE_VM, so we cannot use libc's clone wrapper when running under
767 // Valgrind. As a result, the libc pid cache may be incorrect under Valgrind.
768 // See crbug.com/442817 for more details.
769 if (IsRunningOnValgrind()) {
770 // See kernel/fork.c in Linux. There is different ordering of sys_clone
771 // parameters depending on CONFIG_CLONE_BACKWARDS* configuration options.
772 #if defined(ARCH_CPU_X86_64)
773 return syscall(__NR_clone, flags, nullptr, ptid, ctid, nullptr);
774 #elif defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARM_FAMILY) || \
775 defined(ARCH_CPU_MIPS_FAMILY) || defined(ARCH_CPU_MIPS64_FAMILY)
776 // CONFIG_CLONE_BACKWARDS defined.
777 return syscall(__NR_clone, flags, nullptr, ptid, nullptr, ctid);
778 #else
779 #error "Unsupported architecture"
780 #endif
781 }
782
783 jmp_buf env;
784 if (setjmp(env) == 0) {
785 return CloneAndLongjmpInChild(flags, ptid, ctid, &env);
786 }
787
788 return 0;
789 }
790 #endif // defined(OS_LINUX) || defined(OS_NACL_NONSFI)
791
792 } // namespace base
793