1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
|
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
//
/*============================================================
**
** Class: SafeHandle
**
**
** Purpose: The unmanaged implementation of the SafeHandle
** class
**
===========================================================*/
#include "common.h"
#include "vars.hpp"
#include "object.h"
#include "excep.h"
#include "frames.h"
#include "eecontract.h"
#include "mdaassistants.h"
#include "typestring.h"
WORD SafeHandle::s_IsInvalidHandleMethodSlot = MethodTable::NO_SLOT;
WORD SafeHandle::s_ReleaseHandleMethodSlot = MethodTable::NO_SLOT;
void SafeHandle::Init()
{
CONTRACTL {
THROWS;
GC_TRIGGERS;
MODE_ANY;
} CONTRACTL_END;
// For reliability purposes, we need to eliminate all possible failure
// points before making a call to a CER method. IsInvalidHandle, and
// ReleaseHandle methods are critical calls that are already prepared (code:
// PrepareCriticalFinalizerObject). As a performance optimization, we are
// calling these methods through a fast macro that assumes the method slot
// has been already cached. Since figuring out the method slot for these 2
// methods involves calling .GetMethod which can fail, we are doing this
// eagerly here, Otherwise we will have to do it at the time of the call,
// and this could be at risk if .GetMethod failed.
MethodDesc* pMD = MscorlibBinder::GetMethod(METHOD__SAFE_HANDLE__GET_IS_INVALID);
s_IsInvalidHandleMethodSlot = pMD->GetSlot();
pMD = MscorlibBinder::GetMethod(METHOD__SAFE_HANDLE__RELEASE_HANDLE);
s_ReleaseHandleMethodSlot = pMD->GetSlot();
}
void SafeHandle::AddRef()
{
CONTRACTL {
THROWS;
GC_TRIGGERS;
MODE_COOPERATIVE;
INSTANCE_CHECK;
} CONTRACTL_END;
// Cannot use "this" after Release, which toggles the GC mode.
SAFEHANDLEREF sh(this);
#ifdef _DEBUG
VALIDATEOBJECTREF(sh->m_debugStackTrace);
#endif
_ASSERTE(sh->IsFullyInitialized());
// To prevent handle recycling security attacks we must enforce the
// following invariant: we cannot successfully AddRef a handle on which
// we've committed to the process of releasing.
// We ensure this by never AddRef'ing a handle that is marked closed and
// never marking a handle as closed while the ref count is non-zero. For
// this to be thread safe we must perform inspection/updates of the two
// values as a single atomic operation. We achieve this by storing them both
// in a single aligned DWORD and modifying the entire state via interlocked
// compare exchange operations.
// Additionally we have to deal with the problem of the Dispose operation.
// We must assume that this operation is directly exposed to untrusted
// callers and that malicious callers will try and use what is basically a
// Release call to decrement the ref count to zero and free the handle while
// it's still in use (the other way a handle recycling attack can be
// mounted). We combat this by allowing only one Dispose to operate against
// a given safe handle (which balances the creation operation given that
// Dispose suppresses finalization). We record the fact that a Dispose has
// been requested in the same state field as the ref count and closed state.
// So the state field ends up looking like this:
//
// 31 2 1 0
// +-----------------------------------------------------------+---+---+
// | Ref count | D | C |
// +-----------------------------------------------------------+---+---+
//
// Where D = 1 means a Dispose has been performed and C = 1 means the
// underlying handle has (or will be shortly) released.
// Might have to perform the following steps multiple times due to
// interference from other AddRef's and Release's.
INT32 oldState, newState;
do {
// First step is to read the current handle state. We use this as a
// basis to decide whether an AddRef is legal and, if so, to propose an
// update predicated on the initial state (a conditional write).
oldState = sh->m_state;
// Check for closed state.
if (oldState & SH_State_Closed)
COMPlusThrow(kObjectDisposedException, IDS_EE_SAFEHANDLECLOSED);
// Not closed, let's propose an update (to the ref count, just add
// SH_RefCountOne to the state to effectively add 1 to the ref count).
// Continue doing this until the update succeeds (because nobody
// modifies the state field between the read and write operations) or
// the state moves to closed.
newState = oldState + SH_RefCountOne;
} while (InterlockedCompareExchange((LONG*)&sh->m_state, newState, oldState) != oldState);
// If we got here we managed to update the ref count while the state
// remained non closed. So we're done.
}
void SafeHandle::Release(bool fDispose)
{
CONTRACTL {
THROWS;
GC_TRIGGERS;
MODE_COOPERATIVE;
INSTANCE_CHECK;
} CONTRACTL_END;
// Cannot use "this" after RunReleaseMethod, which toggles the GC mode.
SAFEHANDLEREF sh(this);
#ifdef _DEBUG
VALIDATEOBJECTREF(sh->m_debugStackTrace);
#endif
_ASSERTE(sh->IsFullyInitialized());
// See AddRef above for the design of the synchronization here. Basically we
// will try to decrement the current ref count and, if that would take us to
// zero refs, set the closed state on the handle as well.
bool fPerformRelease = false;
// Might have to perform the following steps multiple times due to
// interference from other AddRef's and Release's.
INT32 oldState, newState;
do {
// First step is to read the current handle state. We use this cached
// value to predicate any modification we might decide to make to the
// state).
oldState = sh->m_state;
// If this is a Dispose operation we have additional requirements (to
// ensure that Dispose happens at most once as the comments in AddRef
// detail). We must check that the dispose bit is not set in the old
// state and, in the case of successful state update, leave the disposed
// bit set. Silently do nothing if Dispose has already been called
// (because we advertise that as a semantic of Dispose).
if (fDispose && (oldState & SH_State_Disposed))
return;
// We should never see a ref count of zero (that would imply we have
// unbalanced AddRef and Releases). (We might see a closed state before
// hitting zero though -- that can happen if SetHandleAsInvalid is
// used).
if ((oldState & SH_State_RefCount) == 0)
COMPlusThrow(kObjectDisposedException, IDS_EE_SAFEHANDLECLOSED);
// If we're proposing a decrement to zero and the handle is not closed
// and we own the handle then we need to release the handle upon a
// successful state update.
fPerformRelease = ((oldState & (SH_State_RefCount | SH_State_Closed)) == SH_RefCountOne) && m_ownsHandle;
// If so we need to check whether the handle is currently invalid by
// asking the SafeHandle subclass. We must do this *before*
// transitioning the handle to closed, however, since setting the closed
// state will cause IsInvalid to always return true.
if (fPerformRelease)
{
GCPROTECT_BEGIN(sh);
CLR_BOOL fIsInvalid = FALSE;
DECLARE_ARGHOLDER_ARRAY(args, 1);
args[ARGNUM_0] = OBJECTREF_TO_ARGHOLDER(sh);
PREPARE_SIMPLE_VIRTUAL_CALLSITE_USING_SLOT(s_IsInvalidHandleMethodSlot, sh);
CRITICAL_CALLSITE;
CALL_MANAGED_METHOD(fIsInvalid, CLR_BOOL, args);
if (fIsInvalid)
{
fPerformRelease = false;
}
GCPROTECT_END();
}
// Attempt the update to the new state, fail and retry if the initial
// state has been modified in the meantime. Decrement the ref count by
// substracting SH_RefCountOne from the state then OR in the bits for
// Dispose (if that's the reason for the Release) and closed (if the
// initial ref count was 1).
newState = (oldState - SH_RefCountOne) |
((oldState & SH_State_RefCount) == SH_RefCountOne ? SH_State_Closed : 0) |
(fDispose ? SH_State_Disposed : 0);
} while (InterlockedCompareExchange((LONG*)&sh->m_state, newState, oldState) != oldState);
// If we get here we successfully decremented the ref count. Additonally we
// may have decremented it to zero and set the handle state as closed. In
// this case (providng we own the handle) we will call the ReleaseHandle
// method on the SafeHandle subclass.
if (fPerformRelease)
RunReleaseMethod((SafeHandle*) OBJECTREFToObject(sh));
}
void SafeHandle::Dispose()
{
CONTRACTL {
THROWS;
GC_TRIGGERS;
MODE_COOPERATIVE;
INSTANCE_CHECK;
} CONTRACTL_END;
// You can't use the "this" pointer after the call to Release because
// Release may trigger a GC.
SAFEHANDLEREF sh(this);
#ifdef _DEBUG
VALIDATEOBJECTREF(sh->m_debugStackTrace);
#endif
_ASSERTE(sh->IsFullyInitialized());
GCPROTECT_BEGIN(sh);
sh->Release(true);
// Suppress finalization on this object (we may be racing here but the
// operation below is idempotent and a dispose should never race a
// finalization).
GCHeapUtilities::GetGCHeap()->SetFinalizationRun(OBJECTREFToObject(sh));
GCPROTECT_END();
}
void SafeHandle::SetHandle(LPVOID handle)
{
CONTRACTL {
THROWS;
MODE_COOPERATIVE;
INSTANCE_CHECK;
SO_TOLERANT;
} CONTRACTL_END;
_ASSERTE(IsFullyInitialized());
// The SafeHandle's handle field can only be set it if the SafeHandle isn't
// closed or disposed and its ref count is 1.
if (m_state != (LONG)SH_RefCountOne)
COMPlusThrow(kObjectDisposedException, IDS_EE_SAFEHANDLECANNOTSETHANDLE);
m_handle = handle;
}
void AcquireSafeHandle(SAFEHANDLEREF* s)
{
WRAPPER_NO_CONTRACT;
GCX_COOP();
_ASSERTE(s != NULL && *s != NULL);
(*s)->AddRef();
}
void ReleaseSafeHandle(SAFEHANDLEREF* s)
{
WRAPPER_NO_CONTRACT;
GCX_COOP();
_ASSERTE(s != NULL && *s != NULL);
(*s)->Release(false);
}
// This could theoretically be an instance method, but we'd need to
// somehow GC protect the this pointer or never dereference any
// field within the object. It's a lot simpler if we simply make
// this method static.
void SafeHandle::RunReleaseMethod(SafeHandle* psh)
{
CONTRACTL {
THROWS;
GC_TRIGGERS;
MODE_COOPERATIVE;
} CONTRACTL_END;
SAFEHANDLEREF sh(psh);
_ASSERTE(sh != NULL);
_ASSERTE(sh->m_ownsHandle);
_ASSERTE(sh->IsFullyInitialized());
GCPROTECT_BEGIN(sh);
// Save last error from P/Invoke in case the implementation of ReleaseHandle
// trashes it (important because this ReleaseHandle could occur implicitly
// as part of unmarshaling another P/Invoke).
Thread *pThread = GetThread();
DWORD dwSavedError = pThread->m_dwLastError;
CLR_BOOL fReleaseHandle = FALSE;
DECLARE_ARGHOLDER_ARRAY(args, 1);
args[ARGNUM_0] = OBJECTREF_TO_ARGHOLDER(sh);
PREPARE_SIMPLE_VIRTUAL_CALLSITE_USING_SLOT(s_ReleaseHandleMethodSlot, sh);
CRITICAL_CALLSITE;
CALL_MANAGED_METHOD(fReleaseHandle, CLR_BOOL, args);
if (!fReleaseHandle) {
#ifdef MDA_SUPPORTED
MDA_TRIGGER_ASSISTANT(ReleaseHandleFailed, ReportViolation(sh->GetTypeHandle(), sh->m_handle));
#endif
}
pThread->m_dwLastError = dwSavedError;
GCPROTECT_END();
}
FCIMPL1(void, SafeHandle::DisposeNative, SafeHandle* refThisUNSAFE)
{
FCALL_CONTRACT;
SAFEHANDLEREF sh(refThisUNSAFE);
if (sh == NULL)
FCThrowVoid(kNullReferenceException);
HELPER_METHOD_FRAME_BEGIN_1(sh);
_ASSERTE(sh->IsFullyInitialized());
sh->Dispose();
HELPER_METHOD_FRAME_END();
}
FCIMPLEND
FCIMPL1(void, SafeHandle::Finalize, SafeHandle* refThisUNSAFE)
{
FCALL_CONTRACT;
SAFEHANDLEREF sh(refThisUNSAFE);
_ASSERTE(sh != NULL);
HELPER_METHOD_FRAME_BEGIN_1(sh);
if (sh->IsFullyInitialized())
sh->Dispose();
// By the time we get here we better have gotten rid of any handle resources
// we own (unless we were force finalized during shutdown).
// It's possible to have a critical finalizer reference a
// safehandle that ends up calling DangerousRelease *after* this finalizer
// is run. In that case we assert since the state is not closed.
// _ASSERTE(!sh->IsFullyInitialized() || (sh->m_state & SH_State_Closed) || g_fEEShutDown);
HELPER_METHOD_FRAME_END();
}
FCIMPLEND
FCIMPL1(void, SafeHandle::SetHandleAsInvalid, SafeHandle* refThisUNSAFE)
{
FCALL_CONTRACT;
SAFEHANDLEREF sh(refThisUNSAFE);
_ASSERTE(sh != NULL);
// Attempt to set closed state (low order bit of the m_state field).
// Might have to attempt these repeatedly, if the operation suffers
// interference from an AddRef or Release.
INT32 oldState, newState;
do {
// First step is to read the current handle state so we can predicate a
// state update on it.
oldState = sh->m_state;
// New state has the same ref count but is now closed. Attempt to write
// this new state but fail if the state was updated in the meantime.
newState = oldState | SH_State_Closed;
} while (InterlockedCompareExchange((LONG*)&sh->m_state, newState, oldState) != oldState);
GCHeapUtilities::GetGCHeap()->SetFinalizationRun(OBJECTREFToObject(sh));
}
FCIMPLEND
FCIMPL2(void, SafeHandle::DangerousAddRef, SafeHandle* refThisUNSAFE, CLR_BOOL *pfSuccess)
{
FCALL_CONTRACT;
SAFEHANDLEREF sh(refThisUNSAFE);
HELPER_METHOD_FRAME_BEGIN_1(sh);
if (pfSuccess == NULL)
COMPlusThrow(kNullReferenceException);
sh->AddRef();
*pfSuccess = TRUE;
HELPER_METHOD_FRAME_END();
}
FCIMPLEND
FCIMPL1(void, SafeHandle::DangerousRelease, SafeHandle* refThisUNSAFE)
{
FCALL_CONTRACT;
SAFEHANDLEREF sh(refThisUNSAFE);
HELPER_METHOD_FRAME_BEGIN_1(sh);
sh->Release(FALSE);
HELPER_METHOD_FRAME_END();
}
FCIMPLEND
FCIMPL1(void, CriticalHandle::FireCustomerDebugProbe, CriticalHandle* refThisUNSAFE)
{
FCALL_CONTRACT;
CRITICALHANDLEREF ch(refThisUNSAFE);
HELPER_METHOD_FRAME_BEGIN_1(ch);
#ifdef MDA_SUPPORTED
MDA_TRIGGER_ASSISTANT(ReleaseHandleFailed, ReportViolation(ch->GetTypeHandle(), ch->m_handle));
#else
FCUnique(0x53);
#endif
HELPER_METHOD_FRAME_END();
}
FCIMPLEND
FCIMPL1(UINT, SafeBuffer::SizeOfType, ReflectClassBaseObject* typeUNSAFE)
{
FCALL_CONTRACT;
REFLECTCLASSBASEREF type(typeUNSAFE);
MethodTable* pMT = type->GetType().AsMethodTable();
if (!pMT->IsValueType() || pMT->ContainsPointers())
FCThrowArgument(W("type"), W("Argument_NeedStructWithNoRefs"));
FC_GC_POLL_RET();
return pMT->GetNumInstanceFieldBytes();
}
FCIMPLEND
FCIMPL1(UINT, SafeBuffer::AlignedSizeOfType, ReflectClassBaseObject* typeUNSAFE)
{
FCALL_CONTRACT;
REFLECTCLASSBASEREF type(typeUNSAFE);
MethodTable* pMT = type->GetType().AsMethodTable();
if (!pMT->IsValueType() || pMT->ContainsPointers())
FCThrowArgument(W("type"), W("Argument_NeedStructWithNoRefs"));
FC_GC_POLL_RET();
return pMT->GetAlignedNumInstanceFieldBytes();
}
FCIMPLEND
FCIMPL3(void, SafeBuffer::PtrToStructure, BYTE* ptr, FC_TypedByRef structure, UINT32 sizeofT)
{
FCALL_CONTRACT;
LPVOID structData = structure.data;
_ASSERTE(ptr != NULL && structData != NULL);
memcpyNoGCRefs(structData, ptr, sizeofT);
FC_GC_POLL();
}
FCIMPLEND
FCIMPL3(void, SafeBuffer::StructureToPtr, FC_TypedByRef structure, BYTE* ptr, UINT32 sizeofT)
{
FCALL_CONTRACT;
LPVOID structData = structure.data;
_ASSERTE(ptr != NULL && structData != NULL);
memcpyNoGCRefs(ptr, structData, sizeofT);
FC_GC_POLL();
}
FCIMPLEND
|
