sandbox/win/src/heap_helper.cc - Issue 2726733003: CSRSS lockdown: destroy CSRSS heap

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sandbox/win/src/heap_helper.cc

Issue 2726733003: CSRSS lockdown: destroy CSRSS heap (Closed)

Patch Set: Merge branch 'master' of https://chromium.googlesource.com/chromium/src into destroy_heap Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sandbox/win/src/heap_helper.cc

diff --git a/sandbox/win/src/heap_helper.cc b/sandbox/win/src/heap_helper.cc

new file mode 100644

index 0000000000000000000000000000000000000000..e86647f656110ac77ac0c6167bbd19dd2de4f121

--- /dev/null

+++ b/sandbox/win/src/heap_helper.cc

@@ -0,0 +1,65 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+#include "sandbox/win/src/heap_helper.h"

+#include <windows.h>

+#include "base/memory/ref_counted.h"

+#include "base/win/windows_version.h"

+namespace sandbox {

+// These are undocumented, but readily found on the internet.

+#define HEAP_CLASS_8 0x00008000 // CSR port heap

+#define HEAP_CLASS_MASK 0x0000f000

+// This structure is not documented, but the flags field is the only relevant

+// field.

+struct _HEAP {

+ char reserved[0x70];

+ DWORD flags;

+};

+bool HeapFlags(HANDLE handle, DWORD* flags) {

+ if (!handle || !flags) {

+ // This is an error.

+ return false;

+ }

+ _HEAP* heap = reinterpret_cast<_HEAP*>(handle);

+ *flags = heap->flags;

+ return true;

+HANDLE FindCsrPortHeap() {

+ if (base::win::GetVersion() < base::win::VERSION_WIN10) {

+ // This functionality has not been verified on versions before Win10.

+ return nullptr;

+ }

+ DWORD number_of_heaps = ::GetProcessHeaps(0, NULL);

+ std::unique_ptr<HANDLE[]> all_heaps(new HANDLE[number_of_heaps]);

+ if (::GetProcessHeaps(number_of_heaps, all_heaps.get()) != number_of_heaps)

+ return nullptr;

+ // Search for the CSR port heap handle, identified purely based on flags.

+ HANDLE csr_port_heap = nullptr;

+ for (size_t i = 0; i < number_of_heaps; ++i) {

+ HANDLE handle = all_heaps[i];

+ DWORD flags = 0;

+ if (!HeapFlags(handle, &flags)) {

+ LOG(ERROR) << "Unable to get flags for this heap";

dcheng 2017/05/03 23:26:04 Is there a reason these are LOG(ERROR) instead of

+ continue;

+ }

+ if ((flags & HEAP_CLASS_MASK) == HEAP_CLASS_8) {

+ if (nullptr != csr_port_heap) {

+ LOG(ERROR) << "Found multiple suitable CSR Port heaps";

+ return nullptr;

+ }

+ csr_port_heap = handle;

+ }

+ return csr_port_heap;

+} // namespace sandbox

« no previous file with comments | « sandbox/win/src/heap_helper.h ('k') | sandbox/win/src/lpc_policy_test.cc » ('j') | no next file with comments »