commit | 59f56d97fff01d8fed1de28f4a7865d62f80ad1a | [log] [tgz] |
---|---|---|
author | danakj <danakj@chromium.org> | Thu Feb 01 15:31:35 2024 |
committer | Chromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com> | Thu Feb 01 15:31:35 2024 |
tree | 8e0e3d6ad35a8fa3d51206e28f9e995d1b2206b1 | |
parent | d82b9f963354fdc4c8219189b0930b1e9cb5ce2d [diff] |
Add UNSAFE_BUFFERS and UNSAFE_BUFFER_USAGE macros for C++ safe buffers Functions annotated with UNSAFE_BUFFER_USAGE can not be called from code that is opted into C++ safe buffers, unless the callsite is wrapped with UNSAFE_BUFFERS(). All instances of UNSAFE_BUFFER_USAGE should come with a Safety comment explaining the requirements of the function that all callers must meet. All callers using the function inside UNSAFE_BUFFERS() should explain in a SAFETY comment how they meet the safety requirements of the unsafe function. Pointer arithmetic/indexing can not be done in code that is opted into C++ safe buffers either, unless the usage is wrapped with UNSAFE_BUFFERS(). A SAFETY comment should be written explaining how the preconditions of the unsafe pointer usage are met. **USE OF UNSAFE_BUFFERS() SHOULD BE VERY RARE** and should come with a "// SAFETY: " comment that explains how it is guaranteed to not cause an out-of-bounds security bug that is based on local analysis only, such as via CHECK()s. If the explanation requires cooperation of code that is not fully encapsulated close to the `UNSAFE_BUFFERS()` usage, it should be rejected and replaced with safer coding patterns or stronger guarantees. Using UNSAFE_BUFFERS() and getting it wrong gives a forever-path for attackers to write exploits against Chrome. Avoid it almost always. Use base::span<T> instead of T*. The UNSAFE_BUFFERS() macro can be used to narrowly scope a single expression or can be used to wrap a whole block. Wrapping an expression: ``` // Does spooky stuff. // // # Safety // The pointer must be valid and point to an array of at least 5 `int`s. UNSAFE_BUFFER_USAGE int spooky_function(int* pointer); void f(span<int, 5> s) { // SAFETY: The spooky_function requires the pointer has 5 ints, // which is true because we have a span with at least 5 as // specified in the type. int x = UNSAFE_BUFFERS(spooky_function(s.data())); ... } ``` Wrapping a block: ``` // Does spooky stuff. // // # Safety // The pointer must be valid and point to an array of at least 5 `int`s. UNSAFE_BUFFER_USAGE int* spooky_function(int* pointer); void f(span<int, 5> s) { UNSAFE_BUFFERS({ // SAFETY: The spooky_function requires the pointer has 5 ints, // which is true because we have a span with at least 5 as // specified in the type. int* x = UNSAFE_BUFFERS(spooky_function(pointer)); hope_we_got_things_right(x[6u]); }) } ``` Adds a `unsafe_buffer_warning_header_allowlist` list of paths that will be considered system headers so that unsafe buffer usage in those headers does not prevent us from enabling the warning on our own code. R=dcheng@chromium.org Bug: 1490484 Change-Id: Id5a808054f265674638e8236fa18a5e28e569dd1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5249877 Commit-Queue: danakj <danakj@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: Hans Wennborg <hans@chromium.org> Cr-Commit-Position: refs/heads/main@{#1255055}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
To check out the source code locally, don't use git clone
! Instead, follow the instructions on how to get the code.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure.
For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.
If you found a bug, please file it at https://crbug.com/new.