Bug 1632687 - Part 1.5: Protect the hard-coded IPC child fd from acci…

…dental multiple use. r=mccr8 This "create a pipe" operation has a mode where, on Unix, it doesn't create a new transport but rather uses a hard-coded fd for the initial IPC channel in a child process. (It was originally written for Windows and the assumption of using named pipes and pathnames for everything.) That seems like a footgun, so this patch checks for trying to "create" that pipe twice. However, it doesn't check for accidentally calling it in the parent process. Differential Revision: https://phabricator.services.mozilla.com/D72259
Brli · Jul 22, 2020 · 2c07ba5 · 2c07ba5
1 parent ed46c1b
commit 2c07ba5
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
@@ -33,6 +33,7 @@
 #include "chrome/common/ipc_channel_utils.h"
 #include "chrome/common/ipc_message_utils.h"
 #include "mozilla/ipc/ProtocolUtils.h"
+#include "mozilla/Atomics.h"
 #include "mozilla/StaticMutex.h"
 #include "mozilla/UniquePtr.h"
 #include "mozilla/Unused.h"
@@ -200,6 +201,9 @@ bool Channel::ChannelImpl::CreatePipe(Mode mode) {
     pipe_ = pipe_fds[0];
     client_pipe_ = pipe_fds[1];
   } else {
+    static mozilla::Atomic<bool> consumed(false);
+    CHECK(!consumed.exchange(true))
+    << "child process main channel can be created only once";
     pipe_ = gClientChannelFd;
     waiting_connect_ = false;
   }