| Index: sandbox/src/target_process.cc
|
| ===================================================================
|
| --- sandbox/src/target_process.cc (revision 123489)
|
| +++ sandbox/src/target_process.cc (working copy)
|
| @@ -39,8 +39,29 @@
|
| }
|
| }
|
|
|
| +// Reserve a random range at the bottom of the address space in the target
|
| +// process to prevent predictable alocations at low addresses.
|
| +void PoisonLowerAddressRange(HANDLE process) {
|
| + unsigned int limit;
|
| + rand_s(&limit);
|
| + char* ptr = 0;
|
| + const size_t kMask64k = 0xFFFF;
|
| + // Random range (512k-4.5mb) in 64k steps.
|
| + const char* end = ptr + ((((limit % 4096) + 512) * 1024) & ~kMask64k);
|
| + while (ptr < end) {
|
| + MEMORY_BASIC_INFORMATION memory_info;
|
| + if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
|
| + break;
|
| + size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k,
|
| + static_cast<SIZE_T>(end - ptr));
|
| + if (ptr && memory_info.State == MEM_FREE)
|
| + ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS);
|
| + ptr += size;
|
| + }
|
| }
|
|
|
| +}
|
| +
|
| namespace sandbox {
|
|
|
| SANDBOX_INTERCEPT HANDLE g_shared_section;
|
| @@ -152,6 +173,8 @@
|
| return ::GetLastError();
|
| }
|
|
|
| + PoisonLowerAddressRange(process_info.hProcess);
|
| +
|
| DWORD win_result = ERROR_SUCCESS;
|
|
|
| // Assign the suspended target to the windows job object
|
|
|
Chromium Code Reviews
Issue 9447078:
Reserve the bottom of the address space to prevent predictable alocations. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/