| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/target_process.h" | 5 #include "sandbox/win/src/target_process.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 8 #include "base/memory/scoped_ptr.h" | 8 #include "base/memory/scoped_ptr.h" |
| 9 #include "base/win/pe_image.h" | 9 #include "base/win/pe_image.h" |
| 10 #include "base/win/startup_information.h" | 10 #include "base/win/startup_information.h" |
| (...skipping 17 matching lines...) Expand all Loading... |
| 28 | 28 |
| 29 for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) { | 29 for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) { |
| 30 size_t buffer = reinterpret_cast<size_t>(policy->entry[i]); | 30 size_t buffer = reinterpret_cast<size_t>(policy->entry[i]); |
| 31 if (buffer) { | 31 if (buffer) { |
| 32 buffer -= offset; | 32 buffer -= offset; |
| 33 policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer); | 33 policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer); |
| 34 } | 34 } |
| 35 } | 35 } |
| 36 } | 36 } |
| 37 | 37 |
| 38 // Reserve a random range at the bottom of the address space in the target |
| 39 // process to prevent predictable alocations at low addresses. |
| 40 void PoisonLowerAddressRange(HANDLE process) { |
| 41 unsigned int limit; |
| 42 rand_s(&limit); |
| 43 char* ptr = 0; |
| 44 const size_t kMask64k = 0xFFFF; |
| 45 // Random range (512k-16.5mb) in 64k steps. |
| 46 const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k); |
| 47 while (ptr < end) { |
| 48 MEMORY_BASIC_INFORMATION memory_info; |
| 49 if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info))) |
| 50 break; |
| 51 size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k, |
| 52 static_cast<SIZE_T>(end - ptr)); |
| 53 if (ptr && memory_info.State == MEM_FREE) |
| 54 ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS); |
| 55 ptr += size; |
| 56 } |
| 57 } |
| 58 |
| 38 } | 59 } |
| 39 | 60 |
| 40 namespace sandbox { | 61 namespace sandbox { |
| 41 | 62 |
| 42 SANDBOX_INTERCEPT HANDLE g_shared_section; | 63 SANDBOX_INTERCEPT HANDLE g_shared_section; |
| 43 SANDBOX_INTERCEPT size_t g_shared_IPC_size; | 64 SANDBOX_INTERCEPT size_t g_shared_IPC_size; |
| 44 SANDBOX_INTERCEPT size_t g_shared_policy_size; | 65 SANDBOX_INTERCEPT size_t g_shared_policy_size; |
| 45 | 66 |
| 46 // Returns the address of the main exe module in memory taking in account | 67 // Returns the address of the main exe module in memory taking in account |
| 47 // address space layout randomization. | 68 // address space layout randomization. |
| (...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 140 FALSE, // Do not inherit handles. | 161 FALSE, // Do not inherit handles. |
| 141 flags, | 162 flags, |
| 142 NULL, // Use the environment of the caller. | 163 NULL, // Use the environment of the caller. |
| 143 NULL, // Use current directory of the caller. | 164 NULL, // Use current directory of the caller. |
| 144 startup_info.startup_info(), | 165 startup_info.startup_info(), |
| 145 process_info.Receive())) { | 166 process_info.Receive())) { |
| 146 return ::GetLastError(); | 167 return ::GetLastError(); |
| 147 } | 168 } |
| 148 lockdown_token_.Close(); | 169 lockdown_token_.Close(); |
| 149 | 170 |
| 171 PoisonLowerAddressRange(process_info.process_handle()); |
| 172 |
| 150 DWORD win_result = ERROR_SUCCESS; | 173 DWORD win_result = ERROR_SUCCESS; |
| 151 | 174 |
| 152 // Assign the suspended target to the windows job object. | 175 // Assign the suspended target to the windows job object. |
| 153 if (!::AssignProcessToJobObject(job_, process_info.process_handle())) { | 176 if (!::AssignProcessToJobObject(job_, process_info.process_handle())) { |
| 154 win_result = ::GetLastError(); | 177 win_result = ::GetLastError(); |
| 155 // It might be a security breach if we let the target run outside the job | 178 // It might be a security breach if we let the target run outside the job |
| 156 // so kill it before it causes damage. | 179 // so kill it before it causes damage. |
| 157 ::TerminateProcess(process_info.process_handle(), 0); | 180 ::TerminateProcess(process_info.process_handle(), 0); |
| 158 return win_result; | 181 return win_result; |
| 159 } | 182 } |
| (...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 324 | 347 |
| 325 | 348 |
| 326 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) { | 349 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) { |
| 327 TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL); | 350 TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL); |
| 328 target->sandbox_process_info_.Receive()->hProcess = process; | 351 target->sandbox_process_info_.Receive()->hProcess = process; |
| 329 target->base_address_ = base_address; | 352 target->base_address_ = base_address; |
| 330 return target; | 353 return target; |
| 331 } | 354 } |
| 332 | 355 |
| 333 } // namespace sandbox | 356 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10907217:
Revert 156550 - Add sandbox support for Windows process mitigations (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/