Chromium Code Reviews Chromium Code Reviews
Issue 1128903006:
Fix a stack overflow in the windows sandbox SpawnTarget function. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/broker_services.h" | 5 #include "sandbox/win/src/broker_services.h" |
| 6 | 6 |
| 7 #include <AclAPI.h> | 7 #include <AclAPI.h> |
| 8 | 8 |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/memory/scoped_ptr.h" | 10 #include "base/memory/scoped_ptr.h" |
| (...skipping 392 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 403 | 403 |
| 404 base::win::ScopedHandle job(job_temp); | 404 base::win::ScopedHandle job(job_temp); |
| 405 | 405 |
| 406 // Initialize the startup information from the policy. | 406 // Initialize the startup information from the policy. |
| 407 base::win::StartupInformation startup_info; | 407 base::win::StartupInformation startup_info; |
| 408 // The liftime of |mitigations| and |inherit_handle_list| have to be at least | 408 // The liftime of |mitigations| and |inherit_handle_list| have to be at least |
| 409 // as long as |startup_info| because |UpdateProcThreadAttribute| requires that | 409 // as long as |startup_info| because |UpdateProcThreadAttribute| requires that |
| 410 // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is | 410 // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is |
| 411 // called; StartupInformation's destructor makes such a call. | 411 // called; StartupInformation's destructor makes such a call. |
| 412 DWORD64 mitigations; | 412 DWORD64 mitigations; |
| 413 HANDLE inherit_handle_list[2]; | 413 |
| 414 HandleList policy_handle_list = policy_base->GetHandlesBeingShared(); | |
| 415 | |
| 416 // We allocate space for handles being shared via Policy and 2 additional | |
| 417 // handles which are STDOUT and STDERR. | |
| 418 scoped_ptr<HANDLE> inherit_handle_list( | |
| 419 new HANDLE[policy_handle_list.size() + 2]); | |
|
cpu_(ooo_6.6-7.5)
2015/05/11 22:35:45
this is too strange now use
std::vector<HANDLE> in
ananta
2015/05/11 22:42:24
Done.
| |
| 420 | |
| 414 base::string16 desktop = policy_base->GetAlternateDesktop(); | 421 base::string16 desktop = policy_base->GetAlternateDesktop(); |
| 415 if (!desktop.empty()) { | 422 if (!desktop.empty()) { |
| 416 startup_info.startup_info()->lpDesktop = | 423 startup_info.startup_info()->lpDesktop = |
| 417 const_cast<wchar_t*>(desktop.c_str()); | 424 const_cast<wchar_t*>(desktop.c_str()); |
| 418 } | 425 } |
| 419 | 426 |
| 420 bool inherit_handles = false; | 427 bool inherit_handles = false; |
| 421 | 428 |
| 422 if (base::win::GetVersion() >= base::win::VERSION_VISTA) { | 429 if (base::win::GetVersion() >= base::win::VERSION_VISTA) { |
| 423 int attribute_count = 0; | 430 int attribute_count = 0; |
| 424 const AppContainerAttributes* app_container = | 431 const AppContainerAttributes* app_container = |
| 425 policy_base->GetAppContainer(); | 432 policy_base->GetAppContainer(); |
| 426 if (app_container) | 433 if (app_container) |
| 427 ++attribute_count; | 434 ++attribute_count; |
| 428 | 435 |
| 429 size_t mitigations_size; | 436 size_t mitigations_size; |
| 430 ConvertProcessMitigationsToPolicy(policy->GetProcessMitigations(), | 437 ConvertProcessMitigationsToPolicy(policy->GetProcessMitigations(), |
| 431 &mitigations, &mitigations_size); | 438 &mitigations, &mitigations_size); |
| 432 if (mitigations) | 439 if (mitigations) |
| 433 ++attribute_count; | 440 ++attribute_count; |
| 434 | 441 |
| 435 HANDLE stdout_handle = policy_base->GetStdoutHandle(); | 442 HANDLE stdout_handle = policy_base->GetStdoutHandle(); |
| 436 HANDLE stderr_handle = policy_base->GetStderrHandle(); | 443 HANDLE stderr_handle = policy_base->GetStderrHandle(); |
| 437 int inherit_handle_count = 0; | 444 int inherit_handle_count = 0; |
| 438 if (stdout_handle != INVALID_HANDLE_VALUE) | 445 if (stdout_handle != INVALID_HANDLE_VALUE) |
| 439 inherit_handle_list[inherit_handle_count++] = stdout_handle; | 446 inherit_handle_list.get()[inherit_handle_count++] = stdout_handle; |
| 440 // Handles in the list must be unique. | 447 // Handles in the list must be unique. |
| 441 if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE) | 448 if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE) |
| 442 inherit_handle_list[inherit_handle_count++] = stderr_handle; | 449 inherit_handle_list.get()[inherit_handle_count++] = stderr_handle; |
| 443 | 450 |
| 444 HandleList handle_list = policy_base->GetHandlesBeingShared(); | 451 for (auto handle : policy_handle_list) |
| 445 for (auto handle : handle_list) | 452 inherit_handle_list.get()[inherit_handle_count++] = handle; |
| 446 inherit_handle_list[inherit_handle_count++] = handle; | |
| 447 | 453 |
| 448 if (inherit_handle_count) | 454 if (inherit_handle_count) |
| 449 ++attribute_count; | 455 ++attribute_count; |
| 450 | 456 |
| 451 if (!startup_info.InitializeProcThreadAttributeList(attribute_count)) | 457 if (!startup_info.InitializeProcThreadAttributeList(attribute_count)) |
| 452 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; | 458 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; |
| 453 | 459 |
| 454 if (app_container) { | 460 if (app_container) { |
| 455 result = app_container->ShareForStartup(&startup_info); | 461 result = app_container->ShareForStartup(&startup_info); |
| 456 if (SBOX_ALL_OK != result) | 462 if (SBOX_ALL_OK != result) |
| 457 return result; | 463 return result; |
| 458 } | 464 } |
| 459 | 465 |
| 460 if (mitigations) { | 466 if (mitigations) { |
| 461 if (!startup_info.UpdateProcThreadAttribute( | 467 if (!startup_info.UpdateProcThreadAttribute( |
| 462 PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations, | 468 PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations, |
| 463 mitigations_size)) { | 469 mitigations_size)) { |
| 464 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; | 470 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; |
| 465 } | 471 } |
| 466 } | 472 } |
| 467 | 473 |
| 468 if (inherit_handle_count) { | 474 if (inherit_handle_count) { |
| 469 if (!startup_info.UpdateProcThreadAttribute( | 475 if (!startup_info.UpdateProcThreadAttribute( |
| 470 PROC_THREAD_ATTRIBUTE_HANDLE_LIST, | 476 PROC_THREAD_ATTRIBUTE_HANDLE_LIST, |
| 471 inherit_handle_list, | 477 inherit_handle_list.get(), |
| 472 sizeof(inherit_handle_list[0]) * inherit_handle_count)) { | 478 sizeof(HANDLE) * inherit_handle_count)) { |
| 473 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; | 479 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; |
| 474 } | 480 } |
| 475 startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES; | 481 startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES; |
| 476 startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE; | 482 startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE; |
| 477 startup_info.startup_info()->hStdOutput = stdout_handle; | 483 startup_info.startup_info()->hStdOutput = stdout_handle; |
| 478 startup_info.startup_info()->hStdError = stderr_handle; | 484 startup_info.startup_info()->hStdError = stderr_handle; |
| 479 // Allowing inheritance of handles is only secure now that we | 485 // Allowing inheritance of handles is only secure now that we |
| 480 // have limited which handles will be inherited. | 486 // have limited which handles will be inherited. |
| 481 inherit_handles = true; | 487 inherit_handles = true; |
| 482 } | 488 } |
| (...skipping 124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 607 return SBOX_ERROR_UNSUPPORTED; | 613 return SBOX_ERROR_UNSUPPORTED; |
| 608 | 614 |
| 609 base::string16 name = LookupAppContainer(sid); | 615 base::string16 name = LookupAppContainer(sid); |
| 610 if (name.empty()) | 616 if (name.empty()) |
| 611 return SBOX_ERROR_INVALID_APP_CONTAINER; | 617 return SBOX_ERROR_INVALID_APP_CONTAINER; |
| 612 | 618 |
| 613 return DeleteAppContainer(sid); | 619 return DeleteAppContainer(sid); |
| 614 } | 620 } |
| 615 | 621 |
| 616 } // namespace sandbox | 622 } // namespace sandbox |
| OLD | NEW |
