Correctly handle child processes of sandboxed target processes.

sandbox/win/src/broker_services.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/broker_services.h"
 
 #include <AclAPI.h>
 #include <stddef.h>
 #include <utility>
 
@@ skipping 177 matching lines @@
   if (NULL == param)
     return 1;
 
   base::PlatformThread::SetName("BrokerEvent");
 
   BrokerServicesBase* broker = reinterpret_cast<BrokerServicesBase*>(param);
   HANDLE port = broker->job_port_.Get();
   HANDLE no_targets = broker->no_targets_.Get();
 
   int target_counter = 0;
+  int untracked_target_counter = 0;
   ::ResetEvent(no_targets);
 
   while (true) {
     DWORD events = 0;
     ULONG_PTR key = 0;
     LPOVERLAPPED ovl = NULL;
 
     if (!::GetQueuedCompletionStatus(port, &events, &key, &ovl, INFINITE)) {
       // this call fails if the port has been closed before we have a
       // chance to service the last packet which is 'exit' anyway so
@@ skipping 11 matching lines @@
           // The job object has signaled that the last process associated
           // with it has terminated. Assuming there is no way for a process
           // to appear out of thin air in this job, it safe to assume that
           // we can tell the policy to destroy the target object, and for
           // us to release our reference to the policy object.
           tracker->FreeResources();
           break;
         }
 
         case JOB_OBJECT_MSG_NEW_PROCESS: {
+          DWORD handle = static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl));
+          {
+            AutoLock lock(&broker->lock_);
+            size_t count = broker->child_process_ids_.count(handle);
+            // Child process created from sandboxed process.
+            if (count == 0)
+              untracked_target_counter++;
+          }
           ++target_counter;
           if (1 == target_counter) {
             ::ResetEvent(no_targets);
           }
           break;
         }
 
         case JOB_OBJECT_MSG_EXIT_PROCESS:
         case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS: {
+          size_t erase_result = 0;
           {
             AutoLock lock(&broker->lock_);
-            broker->child_process_ids_.erase(
+            erase_result = broker->child_process_ids_.erase(
                 static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl)));
           }
+          if (erase_result != 1U) {
+            // The process was untracked e.g. a child process of the target.
+            --untracked_target_counter;
+            DCHECK(untracked_target_counter >= 0);
+          }
           --target_counter;
           if (0 == target_counter)
             ::SetEvent(no_targets);
 
           DCHECK(target_counter >= 0);
           break;
         }
 
         case JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT: {
+          // A child process attempted and failed to create a child process.
+          // Windows does not reveal the process id.
+          untracked_target_counter++;
+          target_counter++;
           break;
         }
 
         case JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT: {
           BOOL res = ::TerminateJobObject(tracker->job.Get(),
                                           SBOX_FATAL_MEMORY_EXCEEDED);
           DCHECK(res);
           break;
         }
 
@@ skipping 294 matching lines @@
     return SBOX_ERROR_UNSUPPORTED;
 
   base::string16 name = LookupAppContainer(sid);
   if (name.empty())
     return SBOX_ERROR_INVALID_APP_CONTAINER;
 
   return DeleteAppContainer(sid);
 }
 
 }  // namespace sandbox