| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/src/target_process.h" | 5 #include "sandbox/src/target_process.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 8 #include "base/memory/scoped_ptr.h" | 8 #include "base/memory/scoped_ptr.h" |
| 9 #include "base/win/pe_image.h" | 9 #include "base/win/pe_image.h" |
| 10 #include "sandbox/src/crosscall_server.h" | 10 #include "sandbox/src/crosscall_server.h" |
| (...skipping 21 matching lines...) Expand all Loading... |
| 32 | 32 |
| 33 for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) { | 33 for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) { |
| 34 size_t buffer = reinterpret_cast<size_t>(policy->entry[i]); | 34 size_t buffer = reinterpret_cast<size_t>(policy->entry[i]); |
| 35 if (buffer) { | 35 if (buffer) { |
| 36 buffer -= offset; | 36 buffer -= offset; |
| 37 policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer); | 37 policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer); |
| 38 } | 38 } |
| 39 } | 39 } |
| 40 } | 40 } |
| 41 | 41 |
| 42 // Reserve a random range at the bottom of the address space in the target |
| 43 // process to prevent predictable alocations at low addresses. |
| 44 void PoisonLowerAddressRange(HANDLE process) { |
| 45 unsigned int limit; |
| 46 rand_s(&limit); |
| 47 char* ptr = 0; |
| 48 const size_t kMask64k = 0xFFFF; |
| 49 // Random range (512k-4.5mb) in 64k steps. |
| 50 const char* end = ptr + ((((limit % 4096) + 512) * 1024) & ~kMask64k); |
| 51 while (ptr < end) { |
| 52 MEMORY_BASIC_INFORMATION memory_info; |
| 53 if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info))) |
| 54 break; |
| 55 size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k, |
| 56 static_cast<SIZE_T>(end - ptr)); |
| 57 if (ptr && memory_info.State == MEM_FREE) |
| 58 ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS); |
| 59 ptr += size; |
| 60 } |
| 61 } |
| 62 |
| 42 } | 63 } |
| 43 | 64 |
| 44 namespace sandbox { | 65 namespace sandbox { |
| 45 | 66 |
| 46 SANDBOX_INTERCEPT HANDLE g_shared_section; | 67 SANDBOX_INTERCEPT HANDLE g_shared_section; |
| 47 SANDBOX_INTERCEPT size_t g_shared_IPC_size; | 68 SANDBOX_INTERCEPT size_t g_shared_IPC_size; |
| 48 SANDBOX_INTERCEPT size_t g_shared_policy_size; | 69 SANDBOX_INTERCEPT size_t g_shared_policy_size; |
| 49 | 70 |
| 50 // Returns the address of the main exe module in memory taking in account | 71 // Returns the address of the main exe module in memory taking in account |
| 51 // address space layout randomization. | 72 // address space layout randomization. |
| (...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 145 NULL, // No thread attribute. | 166 NULL, // No thread attribute. |
| 146 FALSE, // Do not inherit handles. | 167 FALSE, // Do not inherit handles. |
| 147 flags, | 168 flags, |
| 148 NULL, // Use the environment of the caller. | 169 NULL, // Use the environment of the caller. |
| 149 NULL, // Use current directory of the caller. | 170 NULL, // Use current directory of the caller. |
| 150 &startup_info, | 171 &startup_info, |
| 151 &process_info)) { | 172 &process_info)) { |
| 152 return ::GetLastError(); | 173 return ::GetLastError(); |
| 153 } | 174 } |
| 154 | 175 |
| 176 PoisonLowerAddressRange(process_info.hProcess); |
| 177 |
| 155 DWORD win_result = ERROR_SUCCESS; | 178 DWORD win_result = ERROR_SUCCESS; |
| 156 | 179 |
| 157 // Assign the suspended target to the windows job object | 180 // Assign the suspended target to the windows job object |
| 158 if (!::AssignProcessToJobObject(job_, process_info.hProcess)) { | 181 if (!::AssignProcessToJobObject(job_, process_info.hProcess)) { |
| 159 win_result = ::GetLastError(); | 182 win_result = ::GetLastError(); |
| 160 // It might be a security breach if we let the target run outside the job | 183 // It might be a security breach if we let the target run outside the job |
| 161 // so kill it before it causes damage | 184 // so kill it before it causes damage |
| 162 TerminateTarget(&process_info); | 185 TerminateTarget(&process_info); |
| 163 return win_result; | 186 return win_result; |
| 164 } | 187 } |
| (...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 320 | 343 |
| 321 | 344 |
| 322 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) { | 345 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) { |
| 323 TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL); | 346 TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL); |
| 324 target->sandbox_process_ = process; | 347 target->sandbox_process_ = process; |
| 325 target->base_address_ = base_address; | 348 target->base_address_ = base_address; |
| 326 return target; | 349 return target; |
| 327 } | 350 } |
| 328 | 351 |
| 329 } // namespace sandbox | 352 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9447078:
Reserve the bottom of the address space to prevent predictable alocations. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/