The Tor Browser: comparison security/sandbox/win/src/sidestep

--1:000000000000
+:bd7949b216c4
+// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "sandbox/win/src/sidestep_resolver.h"
+#include "base/win/pe_image.h"
+#include "sandbox/win/src/sandbox_nt_util.h"
+#include "sandbox/win/src/sidestep/preamble_patcher.h"
+namespace {
+const size_t kSizeOfSidestepStub = sidestep::kMaxPreambleStubSize;
+struct SidestepThunk {
+char sidestep[kSizeOfSidestepStub];  // Storage for the sidestep stub.
+int internal_thunk;  // Dummy member to the beginning of the internal thunk.
+};
+struct SmartThunk {
+const void* module_base;  // Target module's base.
+const void* interceptor;  // Real interceptor.
+SidestepThunk sidestep;  // Standard sidestep thunk.
+};
+}  // namespace
+namespace sandbox {
+NTSTATUS SidestepResolverThunk::Setup(const void* target_module,
+const void* interceptor_module,
+const char* target_name,
+const char* interceptor_name,
+const void* interceptor_entry_point,
+void* thunk_storage,
+size_t storage_bytes,
+size_t* storage_used) {
+NTSTATUS ret = Init(target_module, interceptor_module, target_name,
+interceptor_name, interceptor_entry_point,
+thunk_storage, storage_bytes);
+if (!NT_SUCCESS(ret))
+return ret;
+SidestepThunk* thunk = reinterpret_cast<SidestepThunk*>(thunk_storage);
+size_t internal_bytes = storage_bytes - kSizeOfSidestepStub;
+if (!SetInternalThunk(&thunk->internal_thunk, internal_bytes, thunk_storage,
+interceptor_))
+return STATUS_BUFFER_TOO_SMALL;
+AutoProtectMemory memory;
+ret = memory.ChangeProtection(target_, kSizeOfSidestepStub, PAGE_READWRITE);
+if (!NT_SUCCESS(ret))
+return ret;
+sidestep::SideStepError rv = sidestep::PreamblePatcher::Patch(
+target_, reinterpret_cast<void*>(&thunk->internal_thunk), thunk_storage,
+kSizeOfSidestepStub);
+if (sidestep::SIDESTEP_INSUFFICIENT_BUFFER == rv)
+return STATUS_BUFFER_TOO_SMALL;
+if (sidestep::SIDESTEP_SUCCESS != rv)
+return STATUS_UNSUCCESSFUL;
+if (storage_used)
+*storage_used = GetThunkSize();
+return ret;
+}
+size_t SidestepResolverThunk::GetThunkSize() const {
+return GetInternalThunkSize() + kSizeOfSidestepStub;
+}
+// This is basically a wrapper around the normal sidestep patch that extends
+// the thunk to use a chained interceptor. It uses the fact that
+// SetInternalThunk generates the code to pass as the first parameter whatever
+// it receives as original_function; we let SidestepResolverThunk set this value
+// to its saved code, and then we change it to our thunk data.
+NTSTATUS SmartSidestepResolverThunk::Setup(const void* target_module,
+const void* interceptor_module,
+const char* target_name,
+const char* interceptor_name,
+const void* interceptor_entry_point,
+void* thunk_storage,
+size_t storage_bytes,
+size_t* storage_used) {
+if (storage_bytes < GetThunkSize())
+return STATUS_BUFFER_TOO_SMALL;
+SmartThunk* thunk = reinterpret_cast<SmartThunk*>(thunk_storage);
+thunk->module_base = target_module;
+NTSTATUS ret;
+if (interceptor_entry_point) {
+thunk->interceptor = interceptor_entry_point;
+} else {
+ret = ResolveInterceptor(interceptor_module, interceptor_name,
+&thunk->interceptor);
+if (!NT_SUCCESS(ret))
+return ret;
+}
+// Perform a standard sidestep patch on the last part of the thunk, but point
+// to our internal smart interceptor.
+size_t standard_bytes = storage_bytes - offsetof(SmartThunk, sidestep);
+ret = SidestepResolverThunk::Setup(target_module, interceptor_module,
+target_name, NULL, &SmartStub,
+&thunk->sidestep, standard_bytes, NULL);
+if (!NT_SUCCESS(ret))
+return ret;
+// Fix the internal thunk to pass the whole buffer to the interceptor.
+SetInternalThunk(&thunk->sidestep.internal_thunk, GetInternalThunkSize(),
+thunk_storage, &SmartStub);
+if (storage_used)
+*storage_used = GetThunkSize();
+return ret;
+}
+size_t SmartSidestepResolverThunk::GetThunkSize() const {
+return GetInternalThunkSize() + kSizeOfSidestepStub +
+offsetof(SmartThunk, sidestep);
+}
+// This code must basically either call the intended interceptor or skip the
+// call and invoke instead the original function. In any case, we are saving
+// the registers that may be trashed by our c++ code.
+//
+// This function is called with a first parameter inserted by us, that points
+// to our SmartThunk. When we call the interceptor we have to replace this
+// parameter with the one expected by that function (stored inside our
+// structure); on the other hand, when we skip the interceptor we have to remove
+// that extra argument before calling the original function.
+//
+// When we skip the interceptor, the transformation of the stack looks like:
+//  On Entry:                         On Use:                     On Exit:
+//  [param 2] = first real argument   [param 2] (esp+1c)          [param 2]
+//  [param 1] = our SmartThunk        [param 1] (esp+18)          [ret address]
+//  [ret address] = real caller       [ret address] (esp+14)      [xxx]
+//  [xxx]                             [addr to jump to] (esp+10)  [xxx]
+//  [xxx]                             [saved eax]                 [xxx]
+//  [xxx]                             [saved ebx]                 [xxx]
+//  [xxx]                             [saved ecx]                 [xxx]
+//  [xxx]                             [saved edx]                 [xxx]
+__declspec(naked)
+void SmartSidestepResolverThunk::SmartStub() {
+__asm {
+push eax                  // Space for the jump.
+push eax                  // Save registers.
+push ebx
+push ecx
+push edx
+mov ebx, [esp + 0x18]     // First parameter = SmartThunk.
+mov edx, [esp + 0x14]     // Get the return address.
+mov eax, [ebx]SmartThunk.module_base
+push edx
+push eax
+call SmartSidestepResolverThunk::IsInternalCall
+add esp, 8
+test eax, eax
+lea edx, [ebx]SmartThunk.sidestep   // The original function.
+jz call_interceptor
+// Skip this call
+mov ecx, [esp + 0x14]               // Return address.
+mov [esp + 0x18], ecx               // Remove first parameter.
+mov [esp + 0x10], edx
+pop edx                             // Restore registers.
+pop ecx
+pop ebx
+pop eax
+ret 4                               // Jump to original function.
+call_interceptor:
+mov ecx, [ebx]SmartThunk.interceptor
+mov [esp + 0x18], edx               // Replace first parameter.
+mov [esp + 0x10], ecx
+pop edx                             // Restore registers.
+pop ecx
+pop ebx
+pop eax
+ret                                 // Jump to original function.
+}
+}
+bool SmartSidestepResolverThunk::IsInternalCall(const void* base,
+void* return_address) {
+DCHECK_NT(base);
+DCHECK_NT(return_address);
+base::win::PEImage pe(base);
+if (pe.GetImageSectionFromAddr(return_address))
+return true;
+return false;
+}
+}  // namespace sandbox

The Tor Browser / file comparison

comparison: security/sandbox/win/src/sidestep_resolver.cc

security/sandbox/win/src/sidestep_resolver.cc