| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/target_process.h" | 5 #include "sandbox/win/src/target_process.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 8 #include "base/memory/scoped_ptr.h" | 8 #include "base/memory/scoped_ptr.h" |
| 9 #include "base/win/pe_image.h" | 9 #include "base/win/pe_image.h" |
| 10 #include "base/win/startup_information.h" | 10 #include "base/win/startup_information.h" |
| (...skipping 17 matching lines...) Expand all Loading... |
| 28 | 28 |
| 29 for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) { | 29 for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) { |
| 30 size_t buffer = reinterpret_cast<size_t>(policy->entry[i]); | 30 size_t buffer = reinterpret_cast<size_t>(policy->entry[i]); |
| 31 if (buffer) { | 31 if (buffer) { |
| 32 buffer -= offset; | 32 buffer -= offset; |
| 33 policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer); | 33 policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer); |
| 34 } | 34 } |
| 35 } | 35 } |
| 36 } | 36 } |
| 37 | 37 |
| 38 // Reserve a random range at the bottom of the address space in the target | |
| 39 // process to prevent predictable alocations at low addresses. | |
| 40 void PoisonLowerAddressRange(HANDLE process) { | |
| 41 unsigned int limit; | |
| 42 rand_s(&limit); | |
| 43 char* ptr = 0; | |
| 44 const size_t kMask64k = 0xFFFF; | |
| 45 // Random range (512k-16.5mb) in 64k steps. | |
| 46 const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k); | |
| 47 while (ptr < end) { | |
| 48 MEMORY_BASIC_INFORMATION memory_info; | |
| 49 if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info))) | |
| 50 break; | |
| 51 size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k, | |
| 52 static_cast<SIZE_T>(end - ptr)); | |
| 53 if (ptr && memory_info.State == MEM_FREE) | |
| 54 ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS); | |
| 55 ptr += size; | |
| 56 } | |
| 57 } | |
| 58 | |
| 59 } | 38 } |
| 60 | 39 |
| 61 namespace sandbox { | 40 namespace sandbox { |
| 62 | 41 |
| 63 SANDBOX_INTERCEPT HANDLE g_shared_section; | 42 SANDBOX_INTERCEPT HANDLE g_shared_section; |
| 64 SANDBOX_INTERCEPT size_t g_shared_IPC_size; | 43 SANDBOX_INTERCEPT size_t g_shared_IPC_size; |
| 65 SANDBOX_INTERCEPT size_t g_shared_policy_size; | 44 SANDBOX_INTERCEPT size_t g_shared_policy_size; |
| 66 | 45 |
| 67 // Returns the address of the main exe module in memory taking in account | 46 // Returns the address of the main exe module in memory taking in account |
| 68 // address space layout randomization. | 47 // address space layout randomization. |
| (...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 161 FALSE, // Do not inherit handles. | 140 FALSE, // Do not inherit handles. |
| 162 flags, | 141 flags, |
| 163 NULL, // Use the environment of the caller. | 142 NULL, // Use the environment of the caller. |
| 164 NULL, // Use current directory of the caller. | 143 NULL, // Use current directory of the caller. |
| 165 startup_info.startup_info(), | 144 startup_info.startup_info(), |
| 166 process_info.Receive())) { | 145 process_info.Receive())) { |
| 167 return ::GetLastError(); | 146 return ::GetLastError(); |
| 168 } | 147 } |
| 169 lockdown_token_.Close(); | 148 lockdown_token_.Close(); |
| 170 | 149 |
| 171 PoisonLowerAddressRange(process_info.process_handle()); | |
| 172 | |
| 173 DWORD win_result = ERROR_SUCCESS; | 150 DWORD win_result = ERROR_SUCCESS; |
| 174 | 151 |
| 175 // Assign the suspended target to the windows job object. | 152 // Assign the suspended target to the windows job object. |
| 176 if (!::AssignProcessToJobObject(job_, process_info.process_handle())) { | 153 if (!::AssignProcessToJobObject(job_, process_info.process_handle())) { |
| 177 win_result = ::GetLastError(); | 154 win_result = ::GetLastError(); |
| 178 // It might be a security breach if we let the target run outside the job | 155 // It might be a security breach if we let the target run outside the job |
| 179 // so kill it before it causes damage. | 156 // so kill it before it causes damage. |
| 180 ::TerminateProcess(process_info.process_handle(), 0); | 157 ::TerminateProcess(process_info.process_handle(), 0); |
| 181 return win_result; | 158 return win_result; |
| 182 } | 159 } |
| (...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 347 | 324 |
| 348 | 325 |
| 349 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) { | 326 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) { |
| 350 TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL); | 327 TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL); |
| 351 target->sandbox_process_info_.Receive()->hProcess = process; | 328 target->sandbox_process_info_.Receive()->hProcess = process; |
| 352 target->base_address_ = base_address; | 329 target->base_address_ = base_address; |
| 353 return target; | 330 return target; |
| 354 } | 331 } |
| 355 | 332 |
| 356 } // namespace sandbox | 333 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10690058:
Add sandbox support for Windows process mitigations (Closed)
Base URL: https://src.chromium.org/svn/trunk/src/