sandbox/win/src/heap_helper.cc - Issue 2726733003: CSRSS lockdown: destroy CSRSS heap

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: sandbox/win/src/heap_helper.cc

Issue 2726733003: CSRSS lockdown: destroy CSRSS heap (Closed)

Patch Set: refactor heap code to heap_helper, add some explicit tests of these heap_helper functions Created 3 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "sandbox/win/src/heap_helper.h"

	6

	7 #include <windows.h>

	8

	9 #include "base/memory/ref_counted.h"

	10

	11 namespace sandbox {

	12

	13 // These are undocumented, but readily found on the internet.

	14 #define HEAP_CLASS_8 0x00008000 // CSR port heap

	15 #define HEAP_CLASS_MASK 0x0000f000

	16

	17 // This structure is not documented, but we only care about the flags field.

	18 struct _HEAP {

	19 char reserved[0x70];

	20 DWORD flags;

	21 };

	22

	23 DWORD HeapFlags(HANDLE handle) {

	24 _HEAP* heap = reinterpret_cast<_HEAP*>(handle);
	Will Harris 2017/03/22 19:21:49 is there any validation that can be done here that is there any validation that can be done here that the code is actually dealing with a valid heap handle? liamjm (20p) 2017/04/14 17:27:20 I've added nullptr checks. We could use ntdll!Rtl Show quoted text On 2017/03/22 19:21:49, Will Harris wrote: > is there any validation that can be done here that the code is actually dealing > with a valid heap handle? I've added nullptr checks. We could use ntdll!RtlValidateHeap to check if this a valid heap? Or we could add a check of the signature (ie magic bytes) (something similiar to ntdll!RtlpCheckHeapSignature, which is called by ntdll!RtlValidateHeap) Thoughts?
	25 return heap->flags;

	26 }

	27

	28 HANDLE FindCsrPortHeap() {

	29 DWORD number_of_heaps = ::GetProcessHeaps(0, NULL);

	30 std::unique_ptr<HANDLE[]> all_heaps(new HANDLE[number_of_heaps]);

	31 if (::GetProcessHeaps(number_of_heaps, all_heaps.get()) != number_of_heaps)

	32 return nullptr;

	33

	34 // Let's search for the CSR port heap handle, which we identify purely based
	Will Harris 2017/03/22 19:21:49 nit: in chromium convention is to avoid use of 'us nit: in chromium convention is to avoid use of 'us' and 'we' and prefer to just state the operation happening e.g. "Search for the CSR port heap handle, identified purely based on flags." or something like that. (also elsewhere) liamjm (20p) 2017/04/14 17:27:20 Done. Show quoted text On 2017/03/22 19:21:49, Will Harris wrote: > nit: in chromium convention is to avoid use of 'us' and 'we' and prefer to just > state the operation happening > > e.g. > > "Search for the CSR port heap handle, identified purely based on flags." > > or something like that. (also elsewhere) Done.
	35 // on flags.

	36 HANDLE csr_port_heap = nullptr;

	37 for (size_t i = 0; i < number_of_heaps; ++i) {

	38 HANDLE handle = all_heaps[i];

	39 DWORD flags = HeapFlags(handle);

	40 if ((flags & HEAP_CLASS_MASK) == HEAP_CLASS_8) {

	41 if (nullptr != csr_port_heap) {

	42 LOG(ERROR) << "Found multiple suitable CSR Port heaps";

	43 return nullptr;

	44 }

	45 csr_port_heap = handle;

	46 }

	47 }

	48 return csr_port_heap;

	49 }

	50

	51 } // namespace sandbox

OLD	NEW

« no previous file with comments | « sandbox/win/src/heap_helper.h ('k') | sandbox/win/src/lpc_policy_test.cc » ('j') | sandbox/win/src/lpc_policy_test.cc » ('J')