sandbox/win/src/heap_helper.cc - Issue 2726733003: CSRSS lockdown: destroy CSRSS heap

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: sandbox/win/src/heap_helper.cc

Issue 2726733003: CSRSS lockdown: destroy CSRSS heap (Closed)

Patch Set: Merge branch 'master' of https://chromium.googlesource.com/chromium/src into destroy_heap Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "sandbox/win/src/heap_helper.h"

	6

	7 #include <windows.h>

	8

	9 #include "base/memory/ref_counted.h"

	10 #include "base/win/windows_version.h"

	11

	12 namespace sandbox {

	13

	14 // These are undocumented, but readily found on the internet.

	15 #define HEAP_CLASS_8 0x00008000 // CSR port heap

	16 #define HEAP_CLASS_MASK 0x0000f000

	17

	18 // This structure is not documented, but the flags field is the only relevant

	19 // field.

	20 struct _HEAP {

	21 char reserved[0x70];

	22 DWORD flags;

	23 };

	24

	25 bool HeapFlags(HANDLE handle, DWORD* flags) {

	26 if (!handle \|\| !flags) {

	27 // This is an error.

	28 return false;

	29 }

	30 _HEAP* heap = reinterpret_cast<_HEAP*>(handle);

	31 *flags = heap->flags;

	32 return true;

	33 }

	34

	35 HANDLE FindCsrPortHeap() {

	36 if (base::win::GetVersion() < base::win::VERSION_WIN10) {

	37 // This functionality has not been verified on versions before Win10.

	38 return nullptr;

	39 }

	40 DWORD number_of_heaps = ::GetProcessHeaps(0, NULL);

	41 std::unique_ptr<HANDLE[]> all_heaps(new HANDLE[number_of_heaps]);

	42 if (::GetProcessHeaps(number_of_heaps, all_heaps.get()) != number_of_heaps)

	43 return nullptr;

	44

	45 // Search for the CSR port heap handle, identified purely based on flags.

	46 HANDLE csr_port_heap = nullptr;

	47 for (size_t i = 0; i < number_of_heaps; ++i) {

	48 HANDLE handle = all_heaps[i];

	49 DWORD flags = 0;

	50 if (!HeapFlags(handle, &flags)) {

	51 LOG(ERROR) << "Unable to get flags for this heap";
	dcheng 2017/05/03 23:26:04 Is there a reason these are LOG(ERROR) instead of Is there a reason these are LOG(ERROR) instead of DLOG? It doesn't seem particularly actionable to end users and takes up binary space (logging strings aren't dropped, even in official builds).
	52 continue;

	53 }

	54 if ((flags & HEAP_CLASS_MASK) == HEAP_CLASS_8) {

	55 if (nullptr != csr_port_heap) {

	56 LOG(ERROR) << "Found multiple suitable CSR Port heaps";

	57 return nullptr;

	58 }

	59 csr_port_heap = handle;

	60 }

	61 }

	62 return csr_port_heap;

	63 }

	64

	65 } // namespace sandbox

OLD	NEW

« no previous file with comments | « sandbox/win/src/heap_helper.h ('k') | sandbox/win/src/lpc_policy_test.cc » ('j') | no next file with comments »