/*

 * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 *

 */

#include "precompiled.hpp"

#include "classfile/vmSymbols.hpp"

#include "logging/log.hpp"

#include "memory/allocation.inline.hpp"

#include "memory/resourceArea.hpp"

#include "oops/oop.inline.hpp"

#include "os_windows.inline.hpp"

#include "runtime/handles.inline.hpp"

#include "runtime/os.hpp"

#include "runtime/perfMemory.hpp"

#include "services/memTracker.hpp"

#include "utilities/exceptions.hpp"

#include <windows.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <errno.h>

#include <lmcons.h>

typedef BOOL (WINAPI *SetSecurityDescriptorControlFnPtr)(

   IN PSECURITY_DESCRIPTOR pSecurityDescriptor,

   IN SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest,

   IN SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet);

// Standard Memory Implementation Details

// create the PerfData memory region in standard memory.

//

static char* create_standard_memory(size_t size) {

  // allocate an aligned chuck of memory

  char* mapAddress = os::reserve_memory(size);

  if (mapAddress == NULL) {

    return NULL;

  }

  // commit memory

  if (!os::commit_memory(mapAddress, size, !ExecMem)) {

    if (PrintMiscellaneous && Verbose) {

      warning("Could not commit PerfData memory\n");

    }

    os::release_memory(mapAddress, size);

    return NULL;

  }

  return mapAddress;

}

// delete the PerfData memory region

//

static void delete_standard_memory(char* addr, size_t size) {

  // there are no persistent external resources to cleanup for standard

  // memory. since DestroyJavaVM does not support unloading of the JVM,

  // cleanup of the memory resource is not performed. The memory will be

  // reclaimed by the OS upon termination of the process.

  //

  return;

}

// save the specified memory region to the given file

//

static void save_memory_to_file(char* addr, size_t size) {

  const char* destfile = PerfMemory::get_perfdata_file_path();

  assert(destfile[0] != '\0', "invalid Perfdata file path");

  int fd = ::_open(destfile, _O_BINARY|_O_CREAT|_O_WRONLY|_O_TRUNC,

                   _S_IREAD|_S_IWRITE);

  if (fd == OS_ERR) {

    if (PrintMiscellaneous && Verbose) {

      warning("Could not create Perfdata save file: %s: %s\n",

              destfile, os::strerror(errno));

    }

  } else {

    for (size_t remaining = size; remaining > 0;) {

      int nbytes = ::_write(fd, addr, (unsigned int)remaining);

      if (nbytes == OS_ERR) {

        if (PrintMiscellaneous && Verbose) {

          warning("Could not write Perfdata save file: %s: %s\n",

                  destfile, os::strerror(errno));

        }

        break;

      }

      remaining -= (size_t)nbytes;

      addr += nbytes;

    }

    int result = ::_close(fd);

    if (PrintMiscellaneous && Verbose) {

      if (result == OS_ERR) {

        warning("Could not close %s: %s\n", destfile, os::strerror(errno));

      }

    }

  }

  FREE_C_HEAP_ARRAY(char, destfile);

}

// Shared Memory Implementation Details

// Note: the win32 shared memory implementation uses two objects to represent

// the shared memory: a windows kernel based file mapping object and a backing

// store file. On windows, the name space for shared memory is a kernel

// based name space that is disjoint from other win32 name spaces. Since Java

// is unaware of this name space, a parallel file system based name space is

// maintained, which provides a common file system based shared memory name

// space across the supported platforms and one that Java apps can deal with

// through simple file apis.

//

// For performance and resource cleanup reasons, it is recommended that the

// user specific directory and the backing store file be stored in either a

// RAM based file system or a local disk based file system. Network based

// file systems are not recommended for performance reasons. In addition,

// use of SMB network based file systems may result in unsuccesful cleanup

// of the disk based resource on exit of the VM. The Windows TMP and TEMP

// environement variables, as used by the GetTempPath() Win32 API (see

// os::get_temp_directory() in os_win32.cpp), control the location of the

// user specific directory and the shared memory backing store file.

static HANDLE sharedmem_fileMapHandle = NULL;

static HANDLE sharedmem_fileHandle = INVALID_HANDLE_VALUE;

static char*  sharedmem_fileName = NULL;

// return the user specific temporary directory name.

//

// the caller is expected to free the allocated memory.

//

static char* get_user_tmp_dir(const char* user) {

  const char* tmpdir = os::get_temp_directory();

  const char* perfdir = PERFDATA_NAME;

  size_t nbytes = strlen(tmpdir) + strlen(perfdir) + strlen(user) + 3;

  char* dirname = NEW_C_HEAP_ARRAY(char, nbytes, mtInternal);

  // construct the path name to user specific tmp directory

  _snprintf(dirname, nbytes, "%s\\%s_%s", tmpdir, perfdir, user);

  return dirname;

}

// convert the given file name into a process id. if the file

// does not meet the file naming constraints, return 0.

//

static int filename_to_pid(const char* filename) {

  // a filename that doesn't begin with a digit is not a

  // candidate for conversion.

  //

  if (!isdigit(*filename)) {

    return 0;

  }

  // check if file name can be converted to an integer without

  // any leftover characters.

  //

  char* remainder = NULL;

  errno = 0;

  int pid = (int)strtol(filename, &remainder, 10);

  if (errno != 0) {

    return 0;

  }

  // check for left over characters. If any, then the filename is

  // not a candidate for conversion.

  //

  if (remainder != NULL && *remainder != '\0') {

    return 0;

  }

  // successful conversion, return the pid

  return pid;

}

// check if the given path is considered a secure directory for

// the backing store files. Returns true if the directory exists

// and is considered a secure location. Returns false if the path

// is a symbolic link or if an error occurred.

//

static bool is_directory_secure(const char* path) {

  DWORD fa;

  fa = GetFileAttributes(path);

  if (fa == 0xFFFFFFFF) {

    DWORD lasterror = GetLastError();

    if (lasterror == ERROR_FILE_NOT_FOUND) {

      return false;

    }

    else {

      // unexpected error, declare the path insecure

      if (PrintMiscellaneous && Verbose) {

        warning("could not get attributes for file %s: ",

                " lasterror = %d\n", path, lasterror);

      }

      return false;

    }

  }

  if (fa & FILE_ATTRIBUTE_REPARSE_POINT) {

    // we don't accept any redirection for the user specific directory

    // so declare the path insecure. This may be too conservative,

    // as some types of reparse points might be acceptable, but it

    // is probably more secure to avoid these conditions.

    //

    if (PrintMiscellaneous && Verbose) {

      warning("%s is a reparse point\n", path);

    }

    return false;

  }

  if (fa & FILE_ATTRIBUTE_DIRECTORY) {

    // this is the expected case. Since windows supports symbolic

    // links to directories only, not to files, there is no need

    // to check for open write permissions on the directory. If the

    // directory has open write permissions, any files deposited that

    // are not expected will be removed by the cleanup code.

    //

    return true;

  }

  else {

    // this is either a regular file or some other type of file,

    // any of which are unexpected and therefore insecure.

    //

    if (PrintMiscellaneous && Verbose) {

      warning("%s is not a directory, file attributes = "

              INTPTR_FORMAT "\n", path, fa);

    }

    return false;

  }

}

// return the user name for the owner of this process

//

// the caller is expected to free the allocated memory.

//

static char* get_user_name() {

  /* get the user name. This code is adapted from code found in

   * the jdk in src/windows/native/java/lang/java_props_md.c

   * java_props_md.c  1.29 02/02/06. According to the original

   * source, the call to GetUserName is avoided because of a resulting

   * increase in footprint of 100K.

   */

  char* user = getenv("USERNAME");

  char buf[UNLEN+1];

  DWORD buflen = sizeof(buf);

  if (user == NULL || strlen(user) == 0) {

    if (GetUserName(buf, &buflen)) {

      user = buf;

    }

    else {

      return NULL;

    }

  }

  char* user_name = NEW_C_HEAP_ARRAY(char, strlen(user)+1, mtInternal);

  strcpy(user_name, user);

  return user_name;

}

// return the name of the user that owns the process identified by vmid.

//

// This method uses a slow directory search algorithm to find the backing

// store file for the specified vmid and returns the user name, as determined

// by the user name suffix of the hsperfdata_<username> directory name.

//

// the caller is expected to free the allocated memory.

//

static char* get_user_name_slow(int vmid) {

  // directory search

  char* latest_user = NULL;

  time_t latest_ctime = 0;

  const char* tmpdirname = os::get_temp_directory();

  DIR* tmpdirp = os::opendir(tmpdirname);

  if (tmpdirp == NULL) {

    return NULL;

  }

  // for each entry in the directory that matches the pattern hsperfdata_*,

  // open the directory and check if the file for the given vmid exists.

  // The file with the expected name and the latest creation date is used

  // to determine the user name for the process id.

  //

  struct dirent* dentry;

  errno = 0;

    // check if the directory entry is a hsperfdata file

    if (strncmp(dentry->d_name, PERFDATA_NAME, strlen(PERFDATA_NAME)) != 0) {

      continue;

    }

    char* usrdir_name = NEW_C_HEAP_ARRAY(char,

        strlen(tmpdirname) + strlen(dentry->d_name) + 2, mtInternal);

    strcpy(usrdir_name, tmpdirname);

    strcat(usrdir_name, "\\");

    strcat(usrdir_name, dentry->d_name);

    DIR* subdirp = os::opendir(usrdir_name);

    if (subdirp == NULL) {

      FREE_C_HEAP_ARRAY(char, usrdir_name);

      continue;

    }

    // Since we don't create the backing store files in directories

    // pointed to by symbolic links, we also don't follow them when

    // looking for the files. We check for a symbolic link after the

    // call to opendir in order to eliminate a small window where the

    // symlink can be exploited.

    //

    if (!is_directory_secure(usrdir_name)) {

      FREE_C_HEAP_ARRAY(char, usrdir_name);

      os::closedir(subdirp);

      continue;

    }

    struct dirent* udentry;

    errno = 0;

      if (filename_to_pid(udentry->d_name) == vmid) {

        struct stat statbuf;

        char* filename = NEW_C_HEAP_ARRAY(char,

           strlen(usrdir_name) + strlen(udentry->d_name) + 2, mtInternal);

        strcpy(filename, usrdir_name);

        strcat(filename, "\\");

        strcat(filename, udentry->d_name);

        if (::stat(filename, &statbuf) == OS_ERR) {

           FREE_C_HEAP_ARRAY(char, filename);

           continue;

        }

        // skip over files that are not regular files.

        if ((statbuf.st_mode & S_IFMT) != S_IFREG) {

          FREE_C_HEAP_ARRAY(char, filename);

          continue;

        }

        // If we found a matching file with a newer creation time, then

        // save the user name. The newer creation time indicates that

        // we found a newer incarnation of the process associated with

        // vmid. Due to the way that Windows recycles pids and the fact

        // that we can't delete the file from the file system namespace

        // until last close, it is possible for there to be more than

        // one hsperfdata file with a name matching vmid (diff users).

        //

        // We no longer ignore hsperfdata files where (st_size == 0).

        // In this function, all we're trying to do is determine the

        // name of the user that owns the process associated with vmid

        // so the size doesn't matter. Very rarely, we have observed

        // hsperfdata files where (st_size == 0) and the st_size field

        // later becomes the expected value.

        //

        if (statbuf.st_ctime > latest_ctime) {

          char* user = strchr(dentry->d_name, '_') + 1;

          if (latest_user != NULL) FREE_C_HEAP_ARRAY(char, latest_user);

          latest_user = NEW_C_HEAP_ARRAY(char, strlen(user)+1, mtInternal);

          strcpy(latest_user, user);

          latest_ctime = statbuf.st_ctime;

        }

        FREE_C_HEAP_ARRAY(char, filename);

      }

    }

    os::closedir(subdirp);

    FREE_C_HEAP_ARRAY(char, usrdir_name);

  }

  os::closedir(tmpdirp);

  return(latest_user);

}

// return the name of the user that owns the process identified by vmid.

//

// note: this method should only be used via the Perf native methods.

// There are various costs to this method and limiting its use to the

// Perf native methods limits the impact to monitoring applications only.

//

static char* get_user_name(int vmid) {

  // A fast implementation is not provided at this time. It's possible

  // to provide a fast process id to user name mapping function using

  // the win32 apis, but the default ACL for the process object only

  // allows processes with the same owner SID to acquire the process

  // handle (via OpenProcess(PROCESS_QUERY_INFORMATION)). It's possible

  // to have the JVM change the ACL for the process object to allow arbitrary

  // users to access the process handle and the process security token.

  // The security ramifications need to be studied before providing this

  // mechanism.

  //

  return get_user_name_slow(vmid);

}

// return the name of the shared memory file mapping object for the

// named shared memory region for the given user name and vmid.

//

// The file mapping object's name is not the file name. It is a name

// in a separate name space.

//

// the caller is expected to free the allocated memory.

//

static char *get_sharedmem_objectname(const char* user, int vmid) {

  // construct file mapping object's name, add 3 for two '_' and a

  // null terminator.

  int nbytes = (int)strlen(PERFDATA_NAME) + (int)strlen(user) + 3;

  // the id is converted to an unsigned value here because win32 allows

  // negative process ids. However, OpenFileMapping API complains

  // about a name containing a '-' characters.

  //

  nbytes += UINT_CHARS;

  char* name = NEW_C_HEAP_ARRAY(char, nbytes, mtInternal);

  _snprintf(name, nbytes, "%s_%s_%u", PERFDATA_NAME, user, vmid);

  return name;

}

// return the file name of the backing store file for the named

// shared memory region for the given user name and vmid.

//

// the caller is expected to free the allocated memory.

//

static char* get_sharedmem_filename(const char* dirname, int vmid) {

  // add 2 for the file separator and a null terminator.

  size_t nbytes = strlen(dirname) + UINT_CHARS + 2;

  char* name = NEW_C_HEAP_ARRAY(char, nbytes, mtInternal);

  _snprintf(name, nbytes, "%s\\%d", dirname, vmid);

  return name;

}

// remove file

//

// this method removes the file with the given file name.

//

// Note: if the indicated file is on an SMB network file system, this

// method may be unsuccessful in removing the file.

//

static void remove_file(const char* dirname, const char* filename) {

  size_t nbytes = strlen(dirname) + strlen(filename) + 2;

  char* path = NEW_C_HEAP_ARRAY(char, nbytes, mtInternal);

  strcpy(path, dirname);

  strcat(path, "\\");

  strcat(path, filename);

  if (::unlink(path) == OS_ERR) {

    if (PrintMiscellaneous && Verbose) {

      if (errno != ENOENT) {

        warning("Could not unlink shared memory backing"

                " store file %s : %s\n", path, os::strerror(errno));

      }

    }

  }

  FREE_C_HEAP_ARRAY(char, path);

}

// returns true if the process represented by pid is alive, otherwise

// returns false. the validity of the result is only accurate if the

// target process is owned by the same principal that owns this process.

// this method should not be used if to test the status of an otherwise

// arbitrary process unless it is know that this process has the appropriate

// privileges to guarantee a result valid.

//

static bool is_alive(int pid) {

  HANDLE ph = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);

  if (ph == NULL) {

    // the process does not exist.

    if (PrintMiscellaneous && Verbose) {

      DWORD lastError = GetLastError();

      if (lastError != ERROR_INVALID_PARAMETER) {