Chrome browser process DLL blacklist.

chrome_elf/blacklist/blacklist_interceptions.cc

+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Implementation of NtMapViewOfSection intercept for 32 bit builds.
+//
+// TODO(robertshield): Implement the 64 bit intercept.
+
+#include "chrome_elf/blacklist/blacklist_interceptions.h"
+
+#include <string>
+#include <vector>
+
+// Note that only #includes from base that are either header-only or built into
+// base_static (see base/base.gyp) are allowed here.
+#include "base/basictypes.h"
+#include "base/strings/string16.h"
+#include "base/win/pe_image.h"
+#include "chrome_elf/blacklist/blacklist.h"
+#include "sandbox/win/src/internal_types.h"
+#include "sandbox/win/src/nt_internals.h"
+#include "sandbox/win/src/sandbox_nt_util.h"
+#include "sandbox/win/src/sandbox_types.h"
+
+namespace {
+
+// TODO(robertshield): Merge with ntdll exports cache.
+FARPROC GetNtDllExportByName(const char* export_name) {
+  HMODULE ntdll = ::GetModuleHandle(sandbox::kNtdllName);
+  return ::GetProcAddress(ntdll, export_name);
+}
+
+NtQuerySectionFunction g_nt_query_section_func =
+    reinterpret_cast<NtQuerySectionFunction>(
+        GetNtDllExportByName("NtQuerySection"));

[rvargas (doing something else), 2013/12/17 22:09:27]

Isn't it better to have an explicit initialization function and avoid patching
if any of the needed functions cannot be found?

That would also follow the style guide... and having static constructors with
DllMain is kind of yucky.

[robertshield, 2013/12/18 02:34:43]

Done.

+NtQueryVirtualMemoryFunction g_nt_query_virtual_memory_func =
+    reinterpret_cast<NtQueryVirtualMemoryFunction>(
+        GetNtDllExportByName("NtQueryVirtualMemory"));
+NtUnmapViewOfSectionFunction g_nt_unmap_view_of_section_func =
+    reinterpret_cast<NtUnmapViewOfSectionFunction>(
+        GetNtDllExportByName("NtUnmapViewOfSection"));
+
+bool DllMatch(const string16& module_name) {
+  for (int i = 0; i < blacklist::g_troublesome_dlls_cur_index; ++i) {
+    if (module_name == blacklist::g_troublesome_dlls[i])
+      return true;
+  }
+  return false;
+}
+
+// Native reimplementation of PSAPIs GetMappedFileName.
+string16 GetBackingModuleFilePath(PVOID address) {

[rvargas (doing something else), 2013/12/17 22:09:27]

it would have been nice to use the functions from sb_nt_util instead of having
slightly different versions using stl. oh well.

[robertshield, 2013/12/18 02:34:43]

It could perhaps have been done, though iirc it might have needed some
additional refactoring of the sb_nt_util code. I'll leave a TODO and look into
it in a follow up CL.

+  if (!g_nt_query_virtual_memory_func)
+    return string16();
+
+  // We'll start with something close to max_path characters for the name.
+  ULONG buffer_bytes = MAX_PATH * 2;
+  std::vector<BYTE> buffer_data(buffer_bytes);
+
+  for (;;) {
+    MEMORY_SECTION_NAME* section_name =
+        reinterpret_cast<MEMORY_SECTION_NAME*>(&buffer_data[0]);
+
+    if (!section_name)
+      break;
+
+    ULONG returned_bytes;
+    NTSTATUS ret = g_nt_query_virtual_memory_func(
+        NtCurrentProcess, address, MemorySectionName, section_name,
+        buffer_bytes, &returned_bytes);
+
+    if (STATUS_BUFFER_OVERFLOW == ret) {
+      // Retry the call with the given buffer size.
+      buffer_bytes = returned_bytes + 1;
+      buffer_data.resize(buffer_bytes);
+      section_name = NULL;
+      continue;
+    }
+    if (!NT_SUCCESS(ret)) {

[rvargas (doing something else), 2013/12/17 22:09:27]

nit: no {}

[robertshield, 2013/12/18 02:34:43]

Done.

+      break;
+    }
+
+    UNICODE_STRING* section_string =
+        reinterpret_cast<UNICODE_STRING*>(section_name);
+    return string16(section_string->Buffer,
+                        section_string->Length / sizeof(wchar_t));
+  }
+
+  return string16();
+}
+
+bool IsModuleValidImageSection(HANDLE section,
+                               PVOID *base,
+                               PLARGE_INTEGER offset,
+                               PSIZE_T view_size) {
+  if (!section || !base || !view_size || offset)
+    return false;
+
+  if (!g_nt_query_section_func)
+    return false;
+
+  SECTION_BASIC_INFORMATION basic_info;
+  SIZE_T bytes_returned;
+  NTSTATUS ret = g_nt_query_section_func(section, SectionBasicInformation,
+                                         &basic_info, sizeof(basic_info),
+                                         &bytes_returned);
+
+  if (!NT_SUCCESS(ret) || sizeof(basic_info) != bytes_returned)
+    return false;
+
+  if (!(basic_info.Attributes & SEC_IMAGE))
+    return false;
+
+  return true;
+}
+
+string16 ExtractLoadedModuleName(const string16& module_path) {
+  if (module_path.empty() || module_path[module_path.size() - 1] == L'\\')
+    return string16();
+
+  size_t sep = module_path.find_last_of(L'\\');
+  if (sep == string16::npos)
+    return module_path;
+  else
+    return module_path.substr(sep+1);
+}
+
+// Fills |out_name| with the image name from the given |pe| image.
+void SafeGetImageName(const base::win::PEImage& pe, std::string* out_name) {
+  out_name->clear();
+  out_name->reserve(MAX_PATH);
+  PIMAGE_EXPORT_DIRECTORY exports = pe.GetExportDirectory();
+  if (exports) {
+    char* image_name = reinterpret_cast<char*>(pe.RVAToAddr(exports->Name));

[Sigurður Ásgeirsson, 2013/12/18 14:16:01]

nit: while you're in there, perhaps const char*

[robertshield, 2013/12/18 17:01:36]

Done.

+    __try {
+      size_t i = 0;
+      for (; i < MAX_PATH && *image_name; ++i, ++image_name)
+        out_name->push_back(*image_name);
+    } __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ?
+               EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) {

[rvargas (doing something else), 2013/12/17 22:09:27]

I'm curious about why letting the process crash here.

[robertshield, 2013/12/18 02:34:43]

It's more about avoiding the general badness of not crashing if an exception
type that should not be handled occurs. 

The only exception type I'd expect from the wrapped code is an access violation
if I run out of the module into a non-readable location. If something else
occurs, I don't think I should be handling it here.

+      out_name->clear();
+    }
+  }
+}
+
+string16 GetImageInfoFromLoadedModule(HMODULE module, uint32* flags) {
+  std::string out_name;
+  *flags = 0;
+  base::win::PEImage pe(module);

[rvargas (doing something else), 2013/12/17 22:09:27]

this whole thing has to be inside the try block, not just reading the name.

[robertshield, 2013/12/18 02:34:43]

Done.

+
+  if (pe.VerifyMagic()) {
+    *flags |= sandbox::MODULE_IS_PE_IMAGE;
+
+    SafeGetImageName(pe, &out_name);
+
+    PIMAGE_NT_HEADERS headers = pe.GetNTHeaders();
+    if (headers) {
+      if (headers->OptionalHeader.AddressOfEntryPoint)
+        *flags |= sandbox::MODULE_HAS_ENTRY_POINT;
+      if (headers->OptionalHeader.SizeOfCode)
+        *flags |= sandbox::MODULE_HAS_CODE;
+    }
+  }
+
+  return string16(out_name.begin(), out_name.end());
+}
+
+}  // namespace
+
+namespace blacklist {
+
+SANDBOX_INTERCEPT NTSTATUS WINAPI BlNtMapViewOfSection(
+    NtMapViewOfSectionFunction orig_MapViewOfSection,
+    HANDLE section,
+    HANDLE process,
+    PVOID *base,
+    ULONG_PTR zero_bits,
+    SIZE_T commit_size,
+    PLARGE_INTEGER offset,
+    PSIZE_T view_size,
+    SECTION_INHERIT inherit,
+    ULONG allocation_type,
+    ULONG protect) {
+
+  NTSTATUS ret = orig_MapViewOfSection(section, process, base, zero_bits,
+                                       commit_size, offset, view_size, inherit,
+                                       allocation_type, protect);
+
+  if (!NT_SUCCESS(ret) || !sandbox::IsSameProcess(process) ||
+      !IsModuleValidImageSection(section, base, offset, view_size)) {
+    return ret;
+  }
+
+  HMODULE module = reinterpret_cast<HMODULE>(*base);
+  if (module) {
+    UINT image_flags;
+
+    string16 module_name(GetImageInfoFromLoadedModule(
+        reinterpret_cast<HMODULE>(*base), &image_flags));
+    string16 file_name(GetBackingModuleFilePath(*base));
+
+    if (module_name.empty() && (image_flags & sandbox::MODULE_HAS_CODE)) {
+      // If the module has no exports we retrieve the module name from the
+      // full path of the mapped section.
+      module_name = ExtractLoadedModuleName(file_name);
+    }
+
+    if (!module_name.empty() && DllMatch(module_name)) {
+      if (g_nt_unmap_view_of_section_func) {
+        g_nt_unmap_view_of_section_func(process, *base);
+        ret = STATUS_UNSUCCESSFUL;
+      }
+    }
+
+  }
+  return ret;
+}
+
+}  // namespace blacklist