| Index: sandbox/win/src/target_process.cc
|
| ===================================================================
|
| --- sandbox/win/src/target_process.cc (revision 156553)
|
| +++ sandbox/win/src/target_process.cc (working copy)
|
| @@ -35,8 +35,29 @@
|
| }
|
| }
|
|
|
| +// Reserve a random range at the bottom of the address space in the target
|
| +// process to prevent predictable alocations at low addresses.
|
| +void PoisonLowerAddressRange(HANDLE process) {
|
| + unsigned int limit;
|
| + rand_s(&limit);
|
| + char* ptr = 0;
|
| + const size_t kMask64k = 0xFFFF;
|
| + // Random range (512k-16.5mb) in 64k steps.
|
| + const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k);
|
| + while (ptr < end) {
|
| + MEMORY_BASIC_INFORMATION memory_info;
|
| + if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
|
| + break;
|
| + size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k,
|
| + static_cast<SIZE_T>(end - ptr));
|
| + if (ptr && memory_info.State == MEM_FREE)
|
| + ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS);
|
| + ptr += size;
|
| + }
|
| }
|
|
|
| +}
|
| +
|
| namespace sandbox {
|
|
|
| SANDBOX_INTERCEPT HANDLE g_shared_section;
|
| @@ -147,6 +168,8 @@
|
| }
|
| lockdown_token_.Close();
|
|
|
| + PoisonLowerAddressRange(process_info.process_handle());
|
| +
|
| DWORD win_result = ERROR_SUCCESS;
|
|
|
| // Assign the suspended target to the windows job object.
|
|
|
Chromium Code Reviews
Issue 10907217:
Revert 156550 - Add sandbox support for Windows process mitigations (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/