Google Git
Sign in
chromium / chromium / src / 59f56d97fff01d8fed1de28f4a7865d62f80ad1a
commit59f56d97fff01d8fed1de28f4a7865d62f80ad1a[log] [tgz]
authordanakj <danakj@chromium.org>Thu Feb 01 15:31:35 2024
committerChromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>Thu Feb 01 15:31:35 2024
tree8e0e3d6ad35a8fa3d51206e28f9e995d1b2206b1
parentd82b9f963354fdc4c8219189b0930b1e9cb5ce2d [diff]
Add UNSAFE_BUFFERS and UNSAFE_BUFFER_USAGE macros for C++ safe buffers

Functions annotated with UNSAFE_BUFFER_USAGE can not be called
from code that is opted into C++ safe buffers, unless the callsite is
wrapped with UNSAFE_BUFFERS(). All instances of UNSAFE_BUFFER_USAGE
should come with a Safety comment explaining the requirements of the
function that all callers must meet. All callers using the function
inside UNSAFE_BUFFERS() should explain in a SAFETY comment how they
meet the safety requirements of the unsafe function.

Pointer arithmetic/indexing can not be done in code that is opted into
C++ safe buffers either, unless the usage is wrapped with
UNSAFE_BUFFERS(). A SAFETY comment should be written explaining how the
preconditions of the unsafe pointer usage are met.

**USE OF UNSAFE_BUFFERS() SHOULD BE VERY RARE** and should come with
a "// SAFETY: " comment that explains how it is guaranteed to not cause
an out-of-bounds security bug that is based on local analysis only, such
as via CHECK()s. If the explanation requires cooperation of code that is
not fully encapsulated close to the `UNSAFE_BUFFERS()` usage, it should
be rejected and replaced with safer coding patterns or stronger
guarantees.

Using UNSAFE_BUFFERS() and getting it wrong gives a forever-path for
attackers to write exploits against Chrome. Avoid it almost always. Use
base::span<T> instead of T*.

The UNSAFE_BUFFERS() macro can be used to narrowly scope a single
expression or can be used to wrap a whole block.

Wrapping an expression:

```
// Does spooky stuff.
//
// # Safety
// The pointer must be valid and point to an array of at least 5 `int`s.
UNSAFE_BUFFER_USAGE int spooky_function(int* pointer);

void f(span<int, 5> s) {
  // SAFETY: The spooky_function requires the pointer has 5 ints,
  // which is true because we have a span with at least 5 as
  // specified in the type.
  int x = UNSAFE_BUFFERS(spooky_function(s.data()));
  ...
}
```

Wrapping a block:

```
// Does spooky stuff.
//
// # Safety
// The pointer must be valid and point to an array of at least 5 `int`s.
UNSAFE_BUFFER_USAGE int* spooky_function(int* pointer);

void f(span<int, 5> s) {
  UNSAFE_BUFFERS({
    // SAFETY: The spooky_function requires the pointer has 5 ints,
    // which is true because we have a span with at least 5 as
    // specified in the type.
    int* x = UNSAFE_BUFFERS(spooky_function(pointer));
    hope_we_got_things_right(x[6u]);
  })
}
```

Adds a `unsafe_buffer_warning_header_allowlist` list of paths that
will be considered system headers so that unsafe buffer usage in
those headers does not prevent us from enabling the warning on our
own code.

R=dcheng@chromium.org

Bug: 1490484
Change-Id: Id5a808054f265674638e8236fa18a5e28e569dd1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5249877
Commit-Queue: danakj <danakj@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Hans Wennborg <hans@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1255055}
6 files changed
tree: 8e0e3d6ad35a8fa3d51206e28f9e995d1b2206b1
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. codelabs/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia_web/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. media/
  31. mojo/
  32. native_client_sdk/
  33. net/
  34. pdf/
  35. ppapi/
  36. printing/
  37. remoting/
  38. rlz/
  39. sandbox/
  40. services/
  41. skia/
  42. sql/
  43. storage/
  44. styleguide/
  45. testing/
  46. third_party/
  47. tools/
  48. ui/
  49. url/
  50. webkit/
  51. clank
  52. internal
  53. ios_internal
  54. native_client
  55. signing_keys
  56. v8
  57. .clang-format
  58. .clang-tidy
  59. .clangd
  60. .eslintrc.js
  61. .git-blame-ignore-revs
  62. .gitallowed
  63. .gitattributes
  64. .gitignore
  65. .gitmodules
  66. .gn
  67. .mailmap
  68. .rustfmt.toml
  69. .vpython3
  70. .yapfignore
  71. ATL_OWNERS
  72. AUTHORS
  73. BUILD.gn
  74. CODE_OF_CONDUCT.md
  75. codereview.settings
  76. DEPS
  77. DIR_METADATA
  78. LICENSE
  79. LICENSE.chromium_os
  80. OWNERS
  81. PRESUBMIT.py
  82. PRESUBMIT_test.py
  83. PRESUBMIT_test_mocks.py
  84. README.md
  85. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure.

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.

If you found a bug, please file it at https://crbug.com/new.