Chromium Code Reviews Chromium Code Reviews
Issue 9447078:
Reserve the bottom of the address space to prevent predictable alocations. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| Index: sandbox/src/target_process.cc |
| =================================================================== |
| --- sandbox/src/target_process.cc (revision 123489) |
| +++ sandbox/src/target_process.cc (working copy) |
| @@ -39,8 +39,30 @@ |
| } |
| } |
| +// Reserve a random range at the bottom of the address space in the target |
| +// process to prevent predictable alocations at low addresses. |
| +void PoisonLowerAddressRange(HANDLE process) { |
| + unsigned int limit; |
| + rand_s(&limit); |
| + char* ptr = 0; |
| + const char* end = ptr + (limit & 0xF0000); // range from 512kb - 1mb. |
|
rvargas (doing something else)
2012/02/27 22:47:34
nit: "Range" ... 64k -
|
| + const size_t kMask64k = 0xFFFF; |
| + while (ptr < end) { |
| + MEMORY_BASIC_INFORMATION memory_info; |
| + if (!::VirtualQueryEx(process, ptr, &memory_info, |
| + sizeof(memory_info))) { |
| + break; |
| + } |
| + size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k, |
| + static_cast<SIZE_T>(end - ptr)); |
| + if (memory_info.State == MEM_FREE) |
| + ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS); |
| + ptr += size; |
| + } |
| } |
| +} |
| + |
| namespace sandbox { |
| SANDBOX_INTERCEPT HANDLE g_shared_section; |
| @@ -152,6 +174,8 @@ |
| return ::GetLastError(); |
| } |
| + PoisonLowerAddressRange(process_info.hProcess); |
| + |
| DWORD win_result = ERROR_SUCCESS; |
| // Assign the suspended target to the windows job object |
