The Tor Browser / annotate

security/sandbox/win/src/win_utils.cc@6474c204b198 (annotated)

security/sandbox/win/src/win_utils.cc

Wed, 31 Dec 2014 06:09:35 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Wed, 31 Dec 2014 06:09:35 +0100
changeset 0
6474c204b198
permissions
-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

michael@0 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
michael@0 2 // Use of this source code is governed by a BSD-style license that can be
michael@0 3 // found in the LICENSE file.
michael@0 4
michael@0 5 #include "sandbox/win/src/win_utils.h"
michael@0 6
michael@0 7 #include <map>
michael@0 8
michael@0 9 #include "base/logging.h"
michael@0 10 #include "base/memory/scoped_ptr.h"
michael@0 11 #include "sandbox/win/src/internal_types.h"
michael@0 12 #include "sandbox/win/src/nt_internals.h"
michael@0 13
michael@0 14 namespace {
michael@0 15
michael@0 16 // Holds the information about a known registry key.
michael@0 17 struct KnownReservedKey {
michael@0 18 const wchar_t* name;
michael@0 19 HKEY key;
michael@0 20 };
michael@0 21
michael@0 22 // Contains all the known registry key by name and by handle.
michael@0 23 const KnownReservedKey kKnownKey[] = {
michael@0 24 { L"HKEY_CLASSES_ROOT", HKEY_CLASSES_ROOT },
michael@0 25 { L"HKEY_CURRENT_USER", HKEY_CURRENT_USER },
michael@0 26 { L"HKEY_LOCAL_MACHINE", HKEY_LOCAL_MACHINE},
michael@0 27 { L"HKEY_USERS", HKEY_USERS},
michael@0 28 { L"HKEY_PERFORMANCE_DATA", HKEY_PERFORMANCE_DATA},
michael@0 29 { L"HKEY_PERFORMANCE_TEXT", HKEY_PERFORMANCE_TEXT},
michael@0 30 { L"HKEY_PERFORMANCE_NLSTEXT", HKEY_PERFORMANCE_NLSTEXT},
michael@0 31 { L"HKEY_CURRENT_CONFIG", HKEY_CURRENT_CONFIG},
michael@0 32 { L"HKEY_DYN_DATA", HKEY_DYN_DATA}
michael@0 33 };
michael@0 34
michael@0 35 // Returns true if the provided path points to a pipe.
michael@0 36 bool IsPipe(const std::wstring& path) {
michael@0 37 size_t start = 0;
michael@0 38 if (0 == path.compare(0, sandbox::kNTPrefixLen, sandbox::kNTPrefix))
michael@0 39 start = sandbox::kNTPrefixLen;
michael@0 40
michael@0 41 const wchar_t kPipe[] = L"pipe\\";
michael@0 42 return (0 == path.compare(start, arraysize(kPipe) - 1, kPipe));
michael@0 43 }
michael@0 44
michael@0 45 } // namespace
michael@0 46
michael@0 47 namespace sandbox {
michael@0 48
michael@0 49 HKEY GetReservedKeyFromName(const std::wstring& name) {
michael@0 50 for (size_t i = 0; i < arraysize(kKnownKey); ++i) {
michael@0 51 if (name == kKnownKey[i].name)
michael@0 52 return kKnownKey[i].key;
michael@0 53 }
michael@0 54
michael@0 55 return NULL;
michael@0 56 }
michael@0 57
michael@0 58 bool ResolveRegistryName(std::wstring name, std::wstring* resolved_name) {
michael@0 59 for (size_t i = 0; i < arraysize(kKnownKey); ++i) {
michael@0 60 if (name.find(kKnownKey[i].name) == 0) {
michael@0 61 HKEY key;
michael@0 62 DWORD disposition;
michael@0 63 if (ERROR_SUCCESS != ::RegCreateKeyEx(kKnownKey[i].key, L"", 0, NULL, 0,
michael@0 64 MAXIMUM_ALLOWED, NULL, &key,
michael@0 65 &disposition))
michael@0 66 return false;
michael@0 67
michael@0 68 bool result = GetPathFromHandle(key, resolved_name);
michael@0 69 ::RegCloseKey(key);
michael@0 70
michael@0 71 if (!result)
michael@0 72 return false;
michael@0 73
michael@0 74 *resolved_name += name.substr(wcslen(kKnownKey[i].name));
michael@0 75 return true;
michael@0 76 }
michael@0 77 }
michael@0 78
michael@0 79 return false;
michael@0 80 }
michael@0 81
michael@0 82 DWORD IsReparsePoint(const std::wstring& full_path, bool* result) {
michael@0 83 std::wstring path = full_path;
michael@0 84
michael@0 85 // Remove the nt prefix.
michael@0 86 if (0 == path.compare(0, kNTPrefixLen, kNTPrefix))
michael@0 87 path = path.substr(kNTPrefixLen);
michael@0 88
michael@0 89 // Check if it's a pipe. We can't query the attributes of a pipe.
michael@0 90 if (IsPipe(path)) {
michael@0 91 *result = FALSE;
michael@0 92 return ERROR_SUCCESS;
michael@0 93 }
michael@0 94
michael@0 95 std::wstring::size_type last_pos = std::wstring::npos;
michael@0 96
michael@0 97 do {
michael@0 98 path = path.substr(0, last_pos);
michael@0 99
michael@0 100 DWORD attributes = ::GetFileAttributes(path.c_str());
michael@0 101 if (INVALID_FILE_ATTRIBUTES == attributes) {
michael@0 102 DWORD error = ::GetLastError();
michael@0 103 if (error != ERROR_FILE_NOT_FOUND &&
michael@0 104 error != ERROR_PATH_NOT_FOUND &&
michael@0 105 error != ERROR_INVALID_NAME) {
michael@0 106 // Unexpected error.
michael@0 107 NOTREACHED();
michael@0 108 return error;
michael@0 109 }
michael@0 110 } else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) {
michael@0 111 // This is a reparse point.
michael@0 112 *result = true;
michael@0 113 return ERROR_SUCCESS;
michael@0 114 }
michael@0 115
michael@0 116 last_pos = path.rfind(L'\\');
michael@0 117 } while (last_pos != std::wstring::npos);
michael@0 118
michael@0 119 *result = false;
michael@0 120 return ERROR_SUCCESS;
michael@0 121 }
michael@0 122
michael@0 123 // We get a |full_path| of the form \??\c:\some\foo\bar, and the name that
michael@0 124 // we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar.
michael@0 125 bool SameObject(HANDLE handle, const wchar_t* full_path) {
michael@0 126 std::wstring path(full_path);
michael@0 127 DCHECK(!path.empty());
michael@0 128
michael@0 129 // Check if it's a pipe.
michael@0 130 if (IsPipe(path))
michael@0 131 return true;
michael@0 132
michael@0 133 std::wstring actual_path;
michael@0 134 if (!GetPathFromHandle(handle, &actual_path))
michael@0 135 return false;
michael@0 136
michael@0 137 // This may end with a backslash.
michael@0 138 const wchar_t kBackslash = '\\';
michael@0 139 if (path[path.length() - 1] == kBackslash)
michael@0 140 path = path.substr(0, path.length() - 1);
michael@0 141
michael@0 142 // Perfect match (case-insesitive check).
michael@0 143 if (0 == _wcsicmp(actual_path.c_str(), path.c_str()))
michael@0 144 return true;
michael@0 145
michael@0 146 // Look for the drive letter.
michael@0 147 size_t colon_pos = path.find(L':');
michael@0 148 if (colon_pos == 0 || colon_pos == std::wstring::npos)
michael@0 149 return false;
michael@0 150
michael@0 151 // Only one character for the drive.
michael@0 152 if (colon_pos > 1 && path[colon_pos - 2] != kBackslash)
michael@0 153 return false;
michael@0 154
michael@0 155 // We only need 3 chars, but let's alloc a buffer for four.
michael@0 156 wchar_t drive[4] = {0};
michael@0 157 wchar_t vol_name[MAX_PATH];
michael@0 158 memcpy(drive, &path[colon_pos - 1], 2 * sizeof(*drive));
michael@0 159
michael@0 160 // We'll get a double null terminated string.
michael@0 161 DWORD vol_length = ::QueryDosDeviceW(drive, vol_name, MAX_PATH);
michael@0 162 if (vol_length < 2 || vol_length == MAX_PATH)
michael@0 163 return false;
michael@0 164
michael@0 165 // Ignore the nulls at the end.
michael@0 166 vol_length = static_cast<DWORD>(wcslen(vol_name));
michael@0 167
michael@0 168 // The two paths should be the same length.
michael@0 169 if (vol_length + path.size() - (colon_pos + 1) != actual_path.size())
michael@0 170 return false;
michael@0 171
michael@0 172 // Check up to the drive letter.
michael@0 173 if (0 != _wcsnicmp(actual_path.c_str(), vol_name, vol_length))
michael@0 174 return false;
michael@0 175
michael@0 176 // Check the path after the drive letter.
michael@0 177 if (0 != _wcsicmp(&actual_path[vol_length], &path[colon_pos + 1]))
michael@0 178 return false;
michael@0 179
michael@0 180 return true;
michael@0 181 }
michael@0 182
michael@0 183 bool ConvertToLongPath(const std::wstring& short_path,
michael@0 184 std::wstring* long_path) {
michael@0 185 // Check if the path is a NT path.
michael@0 186 bool is_nt_path = false;
michael@0 187 std::wstring path = short_path;
michael@0 188 if (0 == path.compare(0, kNTPrefixLen, kNTPrefix)) {
michael@0 189 path = path.substr(kNTPrefixLen);
michael@0 190 is_nt_path = true;
michael@0 191 }
michael@0 192
michael@0 193 DWORD size = MAX_PATH;
michael@0 194 scoped_ptr<wchar_t[]> long_path_buf(new wchar_t[size]);
michael@0 195
michael@0 196 DWORD return_value = ::GetLongPathName(path.c_str(), long_path_buf.get(),
michael@0 197 size);
michael@0 198 while (return_value >= size) {
michael@0 199 size *= 2;
michael@0 200 long_path_buf.reset(new wchar_t[size]);
michael@0 201 return_value = ::GetLongPathName(path.c_str(), long_path_buf.get(), size);
michael@0 202 }
michael@0 203
michael@0 204 DWORD last_error = ::GetLastError();
michael@0 205 if (0 == return_value && (ERROR_FILE_NOT_FOUND == last_error ||
michael@0 206 ERROR_PATH_NOT_FOUND == last_error ||
michael@0 207 ERROR_INVALID_NAME == last_error)) {
michael@0 208 // The file does not exist, but maybe a sub path needs to be expanded.
michael@0 209 std::wstring::size_type last_slash = path.rfind(L'\\');
michael@0 210 if (std::wstring::npos == last_slash)
michael@0 211 return false;
michael@0 212
michael@0 213 std::wstring begin = path.substr(0, last_slash);
michael@0 214 std::wstring end = path.substr(last_slash);
michael@0 215 if (!ConvertToLongPath(begin, &begin))
michael@0 216 return false;
michael@0 217
michael@0 218 // Ok, it worked. Let's reset the return value.
michael@0 219 path = begin + end;
michael@0 220 return_value = 1;
michael@0 221 } else if (0 != return_value) {
michael@0 222 path = long_path_buf.get();
michael@0 223 }
michael@0 224
michael@0 225 if (return_value != 0) {
michael@0 226 if (is_nt_path) {
michael@0 227 *long_path = kNTPrefix;
michael@0 228 *long_path += path;
michael@0 229 } else {
michael@0 230 *long_path = path;
michael@0 231 }
michael@0 232
michael@0 233 return true;
michael@0 234 }
michael@0 235
michael@0 236 return false;
michael@0 237 }
michael@0 238
michael@0 239 bool GetPathFromHandle(HANDLE handle, std::wstring* path) {
michael@0 240 NtQueryObjectFunction NtQueryObject = NULL;
michael@0 241 ResolveNTFunctionPtr("NtQueryObject", &NtQueryObject);
michael@0 242
michael@0 243 OBJECT_NAME_INFORMATION initial_buffer;
michael@0 244 OBJECT_NAME_INFORMATION* name = &initial_buffer;
michael@0 245 ULONG size = sizeof(initial_buffer);
michael@0 246 // Query the name information a first time to get the size of the name.
michael@0 247 NTSTATUS status = NtQueryObject(handle, ObjectNameInformation, name, size,
michael@0 248 &size);
michael@0 249
michael@0 250 scoped_ptr<OBJECT_NAME_INFORMATION> name_ptr;
michael@0 251 if (size) {
michael@0 252 name = reinterpret_cast<OBJECT_NAME_INFORMATION*>(new BYTE[size]);
michael@0 253 name_ptr.reset(name);
michael@0 254
michael@0 255 // Query the name information a second time to get the name of the
michael@0 256 // object referenced by the handle.
michael@0 257 status = NtQueryObject(handle, ObjectNameInformation, name, size, &size);
michael@0 258 }
michael@0 259
michael@0 260 if (STATUS_SUCCESS != status)
michael@0 261 return false;
michael@0 262
michael@0 263 path->assign(name->ObjectName.Buffer, name->ObjectName.Length /
michael@0 264 sizeof(name->ObjectName.Buffer[0]));
michael@0 265 return true;
michael@0 266 }
michael@0 267
michael@0 268 bool GetNtPathFromWin32Path(const std::wstring& path, std::wstring* nt_path) {
michael@0 269 HANDLE file = ::CreateFileW(path.c_str(), 0,
michael@0 270 FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL,
michael@0 271 OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
michael@0 272 if (file == INVALID_HANDLE_VALUE)
michael@0 273 return false;
michael@0 274 bool rv = GetPathFromHandle(file, nt_path);
michael@0 275 ::CloseHandle(file);
michael@0 276 return rv;
michael@0 277 }
michael@0 278
michael@0 279 bool WriteProtectedChildMemory(HANDLE child_process, void* address,
michael@0 280 const void* buffer, size_t length) {
michael@0 281 // First, remove the protections.
michael@0 282 DWORD old_protection;
michael@0 283 if (!::VirtualProtectEx(child_process, address, length,
michael@0 284 PAGE_WRITECOPY, &old_protection))
michael@0 285 return false;
michael@0 286
michael@0 287 SIZE_T written;
michael@0 288 bool ok = ::WriteProcessMemory(child_process, address, buffer, length,
michael@0 289 &written) && (length == written);
michael@0 290
michael@0 291 // Always attempt to restore the original protection.
michael@0 292 if (!::VirtualProtectEx(child_process, address, length,
michael@0 293 old_protection, &old_protection))
michael@0 294 return false;
michael@0 295
michael@0 296 return ok;
michael@0 297 }
michael@0 298
michael@0 299 }; // namespace sandbox
michael@0 300
michael@0 301 // TODO(jschuh): http://crbug.com/11789
michael@0 302 // I'm guessing we have a race where some "security" software is messing
michael@0 303 // with ntdll/imports underneath us. So, we retry a few times, and in the
michael@0 304 // worst case we sleep briefly before a few more attempts. (Normally sleeping
michael@0 305 // would be very bad, but it's better than crashing in this case.)
michael@0 306 void ResolveNTFunctionPtr(const char* name, void* ptr) {
michael@0 307 const int max_tries = 5;
michael@0 308 const int sleep_threshold = 2;
michael@0 309
michael@0 310 static HMODULE ntdll = ::GetModuleHandle(sandbox::kNtdllName);
michael@0 311
michael@0 312 FARPROC* function_ptr = reinterpret_cast<FARPROC*>(ptr);
michael@0 313 *function_ptr = ::GetProcAddress(ntdll, name);
michael@0 314
michael@0 315 for (int tries = 1; !(*function_ptr) && tries < max_tries; ++tries) {
michael@0 316 if (tries >= sleep_threshold)
michael@0 317 ::Sleep(1);
michael@0 318 ntdll = ::GetModuleHandle(sandbox::kNtdllName);
michael@0 319 *function_ptr = ::GetProcAddress(ntdll, name);
michael@0 320 }
michael@0 321
michael@0 322 CHECK(*function_ptr);
michael@0 323 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial