The Tor Browser: security/sandbox/win/src/sandbox_nt

security/sandbox/win/src/sandbox_nt_util.cc@6474c204b198 (annotated)

security/sandbox/win/src/sandbox_nt_util.cc

Wed, 31 Dec 2014 06:09:35 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:09:35 +0100
changeset 0: 6474c204b198
permissions: -rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "base/win/pe_image.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/target_services.h"
 namespace sandbox {
 // This is the list of all imported symbols from ntdll.dll.
 SANDBOX_INTERCEPT NtExports g_nt = { NULL };
 }  // namespace sandbox
 namespace {
 #if defined(_WIN64)
 void* AllocateNearTo(void* source, size_t size) {
   using sandbox::g_nt;
   // Start with 1 GB above the source.
   const size_t kOneGB = 0x40000000;
   void* base = reinterpret_cast<char*>(source) + kOneGB;
   SIZE_T actual_size = size;
   ULONG_PTR zero_bits = 0;  // Not the correct type if used.
   ULONG type = MEM_RESERVE;
   NTSTATUS ret;
   int attempts = 0;
   for (; attempts < 41; attempts++) {
     ret = g_nt.AllocateVirtualMemory(NtCurrentProcess, &base, zero_bits,
                                      &actual_size, type, PAGE_READWRITE);
     if (NT_SUCCESS(ret)) {
       if (base < source ||
           base >= reinterpret_cast<char*>(source) + 4 * kOneGB) {
         // We won't be able to patch this dll.
         VERIFY_SUCCESS(g_nt.FreeVirtualMemory(NtCurrentProcess, &base, &size,
                                               MEM_RELEASE));
         return NULL;
       }
       break;
     }
     if (attempts == 30) {
       // Try the first GB.
       base = reinterpret_cast<char*>(source);
     } else if (attempts == 40) {
       // Try the highest available address.
       base = NULL;
       type |= MEM_TOP_DOWN;
     }
     // Try 100 MB higher.
     base = reinterpret_cast<char*>(base) + 100 * 0x100000;
   };
   if (attempts == 41)
     return NULL;
   ret = g_nt.AllocateVirtualMemory(NtCurrentProcess, &base, zero_bits,
                                    &actual_size, MEM_COMMIT, PAGE_READWRITE);
   if (!NT_SUCCESS(ret)) {
     VERIFY_SUCCESS(g_nt.FreeVirtualMemory(NtCurrentProcess, &base, &size,
                                           MEM_RELEASE));
     base = NULL;
   }
   return base;
 }
 #else  // defined(_WIN64).
 void* AllocateNearTo(void* source, size_t size) {
   using sandbox::g_nt;
   UNREFERENCED_PARAMETER(source);
   // In 32-bit processes allocations below 512k are predictable, so mark
   // anything in that range as reserved and retry until we get a good address.
   const void* const kMinAddress = reinterpret_cast<void*>(512 * 1024);
   NTSTATUS ret;
   SIZE_T actual_size;
   void* base;
   do {
     base = NULL;
     actual_size = 64 * 1024;
     ret = g_nt.AllocateVirtualMemory(NtCurrentProcess, &base, 0, &actual_size,
                                      MEM_RESERVE, PAGE_NOACCESS);
     if (!NT_SUCCESS(ret))
       return NULL;
   } while (base < kMinAddress);
   actual_size = size;
   ret = g_nt.AllocateVirtualMemory(NtCurrentProcess, &base, 0, &actual_size,
                                    MEM_COMMIT, PAGE_READWRITE);
   if (!NT_SUCCESS(ret))
     return NULL;
   return base;
 }
 #endif  // defined(_WIN64).
 }  // namespace.
 namespace sandbox {
 // Handle for our private heap.
 void* g_heap = NULL;
 SANDBOX_INTERCEPT HANDLE g_shared_section;
 SANDBOX_INTERCEPT size_t g_shared_IPC_size = 0;
 SANDBOX_INTERCEPT size_t g_shared_policy_size = 0;
 void* volatile g_shared_policy_memory = NULL;
 void* volatile g_shared_IPC_memory = NULL;
 // Both the IPC and the policy share a single region of memory in which the IPC
 // memory is first and the policy memory is last.
 bool MapGlobalMemory() {
   if (NULL == g_shared_IPC_memory) {
     void* memory = NULL;
     SIZE_T size = 0;
     // Map the entire shared section from the start.
     NTSTATUS ret = g_nt.MapViewOfSection(g_shared_section, NtCurrentProcess,
                                          &memory, 0, 0, NULL, &size, ViewUnmap,
 , PAGE_READWRITE);
     if (!NT_SUCCESS(ret) || NULL == memory) {
       NOTREACHED_NT();
       return false;
     }
     if (NULL != _InterlockedCompareExchangePointer(&g_shared_IPC_memory,
                                                    memory, NULL)) {
         // Somebody beat us to the memory setup.
         ret = g_nt.UnmapViewOfSection(NtCurrentProcess, memory);
         VERIFY_SUCCESS(ret);
     }
     DCHECK_NT(g_shared_IPC_size > 0);
     g_shared_policy_memory = reinterpret_cast<char*>(g_shared_IPC_memory)
                              + g_shared_IPC_size;
   }
   DCHECK_NT(g_shared_policy_memory);
   DCHECK_NT(g_shared_policy_size > 0);
   return true;
 }
 void* GetGlobalIPCMemory() {
   if (!MapGlobalMemory())
     return NULL;
   return g_shared_IPC_memory;
 }
 void* GetGlobalPolicyMemory() {
   if (!MapGlobalMemory())
     return NULL;
   return g_shared_policy_memory;
 }
 bool InitHeap() {
   if (!g_heap) {
     // Create a new heap using default values for everything.
     void* heap = g_nt.RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);
     if (!heap)
       return false;
     if (NULL != _InterlockedCompareExchangePointer(&g_heap, heap, NULL)) {
       // Somebody beat us to the memory setup.
       g_nt.RtlDestroyHeap(heap);
     }
   }
   return (g_heap != NULL);
 }
 // Physically reads or writes from memory to verify that (at this time), it is
 // valid. Returns a dummy value.
 int TouchMemory(void* buffer, size_t size_bytes, RequiredAccess intent) {
   const int kPageSize = 4096;
   int dummy = 0;
   char* start = reinterpret_cast<char*>(buffer);
   char* end = start + size_bytes - 1;
   if (WRITE == intent) {
     for (; start < end; start += kPageSize) {
       *start = 0;
     }
     *end = 0;
   } else {
     for (; start < end; start += kPageSize) {
       dummy += *start;
     }
     dummy += *end;
   }
   return dummy;
 }
 bool ValidParameter(void* buffer, size_t size, RequiredAccess intent) {
   DCHECK_NT(size);
   __try {
     TouchMemory(buffer, size, intent);
   } __except(EXCEPTION_EXECUTE_HANDLER) {
     return false;
   }
   return true;
 }
 NTSTATUS CopyData(void* destination, const void* source, size_t bytes) {
   NTSTATUS ret = STATUS_SUCCESS;
   __try {
     if (SandboxFactory::GetTargetServices()->GetState()->InitCalled()) {
       memcpy(destination, source, bytes);
     } else {
       const char* from = reinterpret_cast<const char*>(source);
       char* to = reinterpret_cast<char*>(destination);
       for (size_t i = 0; i < bytes; i++) {
         to[i] = from[i];
       }
     }
   } __except(EXCEPTION_EXECUTE_HANDLER) {
     ret = GetExceptionCode();
   }
   return ret;
 }
 // Hacky code... replace with AllocAndCopyObjectAttributes.
 NTSTATUS AllocAndCopyName(const OBJECT_ATTRIBUTES* in_object,
                           wchar_t** out_name, uint32* attributes,
                           HANDLE* root) {
   if (!InitHeap())
     return STATUS_NO_MEMORY;
   DCHECK_NT(out_name);
   *out_name = NULL;
   NTSTATUS ret = STATUS_UNSUCCESSFUL;
   __try {
     do {
       if (in_object->RootDirectory != static_cast<HANDLE>(0) && !root)
         break;
       if (NULL == in_object->ObjectName)
         break;
       if (NULL == in_object->ObjectName->Buffer)
         break;
       size_t size = in_object->ObjectName->Length + sizeof(wchar_t);
       *out_name = new(NT_ALLOC) wchar_t[size/sizeof(wchar_t)];
       if (NULL == *out_name)
         break;
       ret = CopyData(*out_name, in_object->ObjectName->Buffer,
                      size - sizeof(wchar_t));
       if (!NT_SUCCESS(ret))
         break;
       (*out_name)[size / sizeof(wchar_t) - 1] = L'\0';
       if (attributes)
         *attributes = in_object->Attributes;
       if (root)
         *root = in_object->RootDirectory;
       ret = STATUS_SUCCESS;
     } while (false);
   } __except(EXCEPTION_EXECUTE_HANDLER) {
     ret = GetExceptionCode();
   }
   if (!NT_SUCCESS(ret) && *out_name) {
     operator delete(*out_name, NT_ALLOC);
     *out_name = NULL;
   }
   return ret;
 }
 NTSTATUS GetProcessId(HANDLE process, ULONG *process_id) {
   PROCESS_BASIC_INFORMATION proc_info;
   ULONG bytes_returned;
   NTSTATUS ret = g_nt.QueryInformationProcess(process, ProcessBasicInformation,
                                               &proc_info, sizeof(proc_info),
                                               &bytes_returned);
   if (!NT_SUCCESS(ret) || sizeof(proc_info) != bytes_returned)
     return ret;
   *process_id = proc_info.UniqueProcessId;
   return STATUS_SUCCESS;
 }
 bool IsSameProcess(HANDLE process) {
   if (NtCurrentProcess == process)
     return true;
   static ULONG s_process_id = 0;
   if (!s_process_id) {
     NTSTATUS ret = GetProcessId(NtCurrentProcess, &s_process_id);
     if (!NT_SUCCESS(ret))
       return false;
   }
   ULONG process_id;
   NTSTATUS ret = GetProcessId(process, &process_id);
   if (!NT_SUCCESS(ret))
     return false;
   return (process_id == s_process_id);
 }
 bool IsValidImageSection(HANDLE section, PVOID *base, PLARGE_INTEGER offset,
                          PSIZE_T view_size) {
   if (!section || !base || !view_size || offset)
     return false;
   HANDLE query_section;
   NTSTATUS ret = g_nt.DuplicateObject(NtCurrentProcess, section,
                                       NtCurrentProcess, &query_section,
                                       SECTION_QUERY, 0, 0);
   if (!NT_SUCCESS(ret))
     return false;
   SECTION_BASIC_INFORMATION basic_info;
   SIZE_T bytes_returned;
   ret = g_nt.QuerySection(query_section, SectionBasicInformation, &basic_info,
                           sizeof(basic_info), &bytes_returned);
   VERIFY_SUCCESS(g_nt.Close(query_section));
   if (!NT_SUCCESS(ret) || sizeof(basic_info) != bytes_returned)
     return false;
   if (!(basic_info.Attributes & SEC_IMAGE))
     return false;
   return true;
 }
 UNICODE_STRING* AnsiToUnicode(const char* string) {
   ANSI_STRING ansi_string;
   ansi_string.Length = static_cast<USHORT>(g_nt.strlen(string));
   ansi_string.MaximumLength = ansi_string.Length + 1;
   ansi_string.Buffer = const_cast<char*>(string);
   if (ansi_string.Length > ansi_string.MaximumLength)
     return NULL;
   size_t name_bytes = ansi_string.MaximumLength * sizeof(wchar_t) +
                       sizeof(UNICODE_STRING);
   UNICODE_STRING* out_string = reinterpret_cast<UNICODE_STRING*>(
                                    new(NT_ALLOC) char[name_bytes]);
   if (!out_string)
     return NULL;
   out_string->MaximumLength = ansi_string.MaximumLength *  sizeof(wchar_t);
   out_string->Buffer = reinterpret_cast<wchar_t*>(&out_string[1]);
   BOOLEAN alloc_destination = FALSE;
   NTSTATUS ret = g_nt.RtlAnsiStringToUnicodeString(out_string, &ansi_string,
                                                    alloc_destination);
   DCHECK_NT(STATUS_BUFFER_OVERFLOW != ret);
   if (!NT_SUCCESS(ret)) {
     operator delete(out_string, NT_ALLOC);
     return NULL;
   }
   return out_string;
 }
 UNICODE_STRING* GetImageInfoFromModule(HMODULE module, uint32* flags) {
   UNICODE_STRING* out_name = NULL;
   __try {
     do {
       *flags = 0;
       base::win::PEImage pe(module);
       if (!pe.VerifyMagic())
         break;
       *flags |= MODULE_IS_PE_IMAGE;
       PIMAGE_EXPORT_DIRECTORY exports = pe.GetExportDirectory();
       if (exports) {
         char* name = reinterpret_cast<char*>(pe.RVAToAddr(exports->Name));
         out_name = AnsiToUnicode(name);
       }
       PIMAGE_NT_HEADERS headers = pe.GetNTHeaders();
       if (headers) {
         if (headers->OptionalHeader.AddressOfEntryPoint)
           *flags |= MODULE_HAS_ENTRY_POINT;
         if (headers->OptionalHeader.SizeOfCode)
           *flags |= MODULE_HAS_CODE;
       }
     } while (false);
   } __except(EXCEPTION_EXECUTE_HANDLER) {
   }
   return out_name;
 }
 UNICODE_STRING* GetBackingFilePath(PVOID address) {
   // We'll start with something close to max_path charactes for the name.
   ULONG buffer_bytes = MAX_PATH * 2;
   for (;;) {
     MEMORY_SECTION_NAME* section_name = reinterpret_cast<MEMORY_SECTION_NAME*>(
         new(NT_ALLOC) char[buffer_bytes]);
     if (!section_name)
       return NULL;
     ULONG returned_bytes;
     NTSTATUS ret = g_nt.QueryVirtualMemory(NtCurrentProcess, address,
                                            MemorySectionName, section_name,
                                            buffer_bytes, &returned_bytes);
     if (STATUS_BUFFER_OVERFLOW == ret) {
       // Retry the call with the given buffer size.
       operator delete(section_name, NT_ALLOC);
       section_name = NULL;
       buffer_bytes = returned_bytes;
       continue;
     }
     if (!NT_SUCCESS(ret)) {
       operator delete(section_name, NT_ALLOC);
       return NULL;
     }
     return reinterpret_cast<UNICODE_STRING*>(section_name);
   }
 }
 UNICODE_STRING* ExtractModuleName(const UNICODE_STRING* module_path) {
   if ((!module_path) || (!module_path->Buffer))
     return NULL;
   wchar_t* sep = NULL;
   int start_pos = module_path->Length / sizeof(wchar_t) - 1;
   int ix = start_pos;
   for (; ix >= 0; --ix) {
     if (module_path->Buffer[ix] == L'\\') {
       sep = &module_path->Buffer[ix];
       break;
     }
   }
   // Ends with path separator. Not a valid module name.
   if ((ix == start_pos) && sep)
     return NULL;
   // No path separator found. Use the entire name.
   if (!sep) {
     sep = &module_path->Buffer[-1];
   }
   // Add one to the size so we can null terminate the string.
   size_t size_bytes = (start_pos - ix + 1) * sizeof(wchar_t);
   // Based on the code above, size_bytes should always be small enough
   // to make the static_cast below safe.
   DCHECK_NT(kuint16max > size_bytes);
   char* str_buffer = new(NT_ALLOC) char[size_bytes + sizeof(UNICODE_STRING)];
   if (!str_buffer)
     return NULL;
   UNICODE_STRING* out_string = reinterpret_cast<UNICODE_STRING*>(str_buffer);
   out_string->Buffer = reinterpret_cast<wchar_t*>(&out_string[1]);
   out_string->Length = static_cast<USHORT>(size_bytes - sizeof(wchar_t));
   out_string->MaximumLength = static_cast<USHORT>(size_bytes);
   NTSTATUS ret = CopyData(out_string->Buffer, &sep[1], out_string->Length);
   if (!NT_SUCCESS(ret)) {
     operator delete(out_string, NT_ALLOC);
     return NULL;
   }
   out_string->Buffer[out_string->Length / sizeof(wchar_t)] = L'\0';
   return out_string;
 }
 NTSTATUS AutoProtectMemory::ChangeProtection(void* address, size_t bytes,
                                              ULONG protect) {
   DCHECK_NT(!changed_);
   SIZE_T new_bytes = bytes;
   NTSTATUS ret = g_nt.ProtectVirtualMemory(NtCurrentProcess, &address,
                                            &new_bytes, protect, &old_protect_);
   if (NT_SUCCESS(ret)) {
     changed_ = true;
     address_ = address;
     bytes_ = new_bytes;
   }
   return ret;
 }
 NTSTATUS AutoProtectMemory::RevertProtection() {
   if (!changed_)
     return STATUS_SUCCESS;
   DCHECK_NT(address_);
   DCHECK_NT(bytes_);
   SIZE_T new_bytes = bytes_;
   NTSTATUS ret = g_nt.ProtectVirtualMemory(NtCurrentProcess, &address_,
                                            &new_bytes, old_protect_,
                                            &old_protect_);
   DCHECK_NT(NT_SUCCESS(ret));
   changed_ = false;
   address_ = NULL;
   bytes_ = 0;
   old_protect_ = 0;
   return ret;
 }
 bool IsSupportedRenameCall(FILE_RENAME_INFORMATION* file_info, DWORD length,
                            uint32 file_info_class) {
   if (FileRenameInformation != file_info_class)
     return false;
   if (length < sizeof(FILE_RENAME_INFORMATION))
     return false;
   // Make sure file name length doesn't exceed the message length
   if (length - offsetof(FILE_RENAME_INFORMATION, FileName) <
       file_info->FileNameLength)
     return false;
   // We don't support a root directory.
   if (file_info->RootDirectory)
     return false;
   // Check if it starts with \\??\\. We don't support relative paths.
   if (file_info->FileNameLength < 4 || file_info->FileNameLength > kuint16max)
     return false;
   if (file_info->FileName[0] != L'\\' ||
       file_info->FileName[1] != L'?' ||
       file_info->FileName[2] != L'?' ||
       file_info->FileName[3] != L'\\')
     return false;
   return true;
 }
 }  // namespace sandbox
 void* operator new(size_t size, sandbox::AllocationType type,
                    void* near_to) {
   using namespace sandbox;
   if (NT_ALLOC == type) {
     if (!InitHeap())
       return NULL;
     // Use default flags for the allocation.
     return g_nt.RtlAllocateHeap(sandbox::g_heap, 0, size);
   } else if (NT_PAGE == type) {
     return AllocateNearTo(near_to, size);
   }
   NOTREACHED_NT();
   return NULL;
 }
 void operator delete(void* memory, sandbox::AllocationType type) {
   using namespace sandbox;
   if (NT_ALLOC == type) {
     // Use default flags.
     VERIFY(g_nt.RtlFreeHeap(sandbox::g_heap, 0, memory));
   } else if (NT_PAGE == type) {
     void* base = memory;
     SIZE_T size = 0;
     VERIFY_SUCCESS(g_nt.FreeVirtualMemory(NtCurrentProcess, &base, &size,
                                           MEM_RELEASE));
   } else {
     NOTREACHED_NT();
   }
 }
 void operator delete(void* memory, sandbox::AllocationType type,
                      void* near_to) {
   UNREFERENCED_PARAMETER(near_to);
   operator delete(memory, type);
 }
 void* __cdecl operator new(size_t size, void* buffer,
                            sandbox::AllocationType type) {
   UNREFERENCED_PARAMETER(size);
   UNREFERENCED_PARAMETER(type);
   return buffer;
 }
 void __cdecl operator delete(void* memory, void* buffer,
                              sandbox::AllocationType type) {
   UNREFERENCED_PARAMETER(memory);
   UNREFERENCED_PARAMETER(buffer);
   UNREFERENCED_PARAMETER(type);
 }

The Tor Browser / annotate

security/sandbox/win/src/sandbox_nt_util.cc@6474c204b198 (annotated)

security/sandbox/win/src/sandbox_nt_util.cc