Chromium Code Reviews Chromium Code Reviews
Issue 9447078:
Reserve the bottom of the address space to prevent predictable alocations. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/src/target_process.h" | 5 #include "sandbox/src/target_process.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 8 #include "base/memory/scoped_ptr.h" | 8 #include "base/memory/scoped_ptr.h" |
| 9 #include "base/win/pe_image.h" | 9 #include "base/win/pe_image.h" |
| 10 #include "sandbox/src/crosscall_server.h" | 10 #include "sandbox/src/crosscall_server.h" |
| (...skipping 21 matching lines...) Expand all Loading... | |
| 32 | 32 |
| 33 for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) { | 33 for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) { |
| 34 size_t buffer = reinterpret_cast<size_t>(policy->entry[i]); | 34 size_t buffer = reinterpret_cast<size_t>(policy->entry[i]); |
| 35 if (buffer) { | 35 if (buffer) { |
| 36 buffer -= offset; | 36 buffer -= offset; |
| 37 policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer); | 37 policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer); |
| 38 } | 38 } |
| 39 } | 39 } |
| 40 } | 40 } |
| 41 | 41 |
| 42 // Reserve a random range at the bottom of the address space in the target | |
| 43 // process to prevent predictable alocations at low addresses. | |
| 44 void PoisonLowerAddressRange(HANDLE process) { | |
| 45 unsigned int limit; | |
| 46 rand_s(&limit); | |
| 47 char* ptr = 0; | |
| 48 const char* end = ptr + (limit & 0xF0000); // range from 512kb - 1mb. | |
|
rvargas (doing something else)
2012/02/27 22:47:34
nit: "Range" ... 64k -
| |
| 49 const size_t kMask64k = 0xFFFF; | |
| 50 while (ptr < end) { | |
| 51 MEMORY_BASIC_INFORMATION memory_info; | |
| 52 if (!::VirtualQueryEx(process, ptr, &memory_info, | |
| 53 sizeof(memory_info))) { | |
| 54 break; | |
| 55 } | |
| 56 size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k, | |
| 57 static_cast<SIZE_T>(end - ptr)); | |
| 58 if (memory_info.State == MEM_FREE) | |
| 59 ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS); | |
| 60 ptr += size; | |
| 61 } | |
| 62 } | |
| 63 | |
| 42 } | 64 } |
| 43 | 65 |
| 44 namespace sandbox { | 66 namespace sandbox { |
| 45 | 67 |
| 46 SANDBOX_INTERCEPT HANDLE g_shared_section; | 68 SANDBOX_INTERCEPT HANDLE g_shared_section; |
| 47 SANDBOX_INTERCEPT size_t g_shared_IPC_size; | 69 SANDBOX_INTERCEPT size_t g_shared_IPC_size; |
| 48 SANDBOX_INTERCEPT size_t g_shared_policy_size; | 70 SANDBOX_INTERCEPT size_t g_shared_policy_size; |
| 49 | 71 |
| 50 // Returns the address of the main exe module in memory taking in account | 72 // Returns the address of the main exe module in memory taking in account |
| 51 // address space layout randomization. | 73 // address space layout randomization. |
| (...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 145 NULL, // No thread attribute. | 167 NULL, // No thread attribute. |
| 146 FALSE, // Do not inherit handles. | 168 FALSE, // Do not inherit handles. |
| 147 flags, | 169 flags, |
| 148 NULL, // Use the environment of the caller. | 170 NULL, // Use the environment of the caller. |
| 149 NULL, // Use current directory of the caller. | 171 NULL, // Use current directory of the caller. |
| 150 &startup_info, | 172 &startup_info, |
| 151 &process_info)) { | 173 &process_info)) { |
| 152 return ::GetLastError(); | 174 return ::GetLastError(); |
| 153 } | 175 } |
| 154 | 176 |
| 177 PoisonLowerAddressRange(process_info.hProcess); | |
| 178 | |
| 155 DWORD win_result = ERROR_SUCCESS; | 179 DWORD win_result = ERROR_SUCCESS; |
| 156 | 180 |
| 157 // Assign the suspended target to the windows job object | 181 // Assign the suspended target to the windows job object |
| 158 if (!::AssignProcessToJobObject(job_, process_info.hProcess)) { | 182 if (!::AssignProcessToJobObject(job_, process_info.hProcess)) { |
| 159 win_result = ::GetLastError(); | 183 win_result = ::GetLastError(); |
| 160 // It might be a security breach if we let the target run outside the job | 184 // It might be a security breach if we let the target run outside the job |
| 161 // so kill it before it causes damage | 185 // so kill it before it causes damage |
| 162 TerminateTarget(&process_info); | 186 TerminateTarget(&process_info); |
| 163 return win_result; | 187 return win_result; |
| 164 } | 188 } |
| (...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 320 | 344 |
| 321 | 345 |
| 322 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) { | 346 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) { |
| 323 TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL); | 347 TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL); |
| 324 target->sandbox_process_ = process; | 348 target->sandbox_process_ = process; |
| 325 target->base_address_ = base_address; | 349 target->base_address_ = base_address; |
| 326 return target; | 350 return target; |
| 327 } | 351 } |
| 328 | 352 |
| 329 } // namespace sandbox | 353 } // namespace sandbox |
| OLD | NEW |
