1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
6 #include "sandbox/win/sandbox_poc/pocdll/exports.h"
7 #include "sandbox/win/sandbox_poc/pocdll/utils.h"
9 // This file contains the tests used to verify if it's possible to DOS or crash
10 // the machine. All tests that can impact the stability of the machine should
13 // Sleeps forever. this function is used to be the
14 // entry point for the threads created by the thread bombing function.
15 // This function never returns.
16 DWORD WINAPI
MyThreadBombimgFunction(void *param
) {
17 UNREFERENCED_PARAMETER(param
);
22 void POCDLL_API
TestThreadBombing(HANDLE log
) {
23 HandleToFile handle2file
;
24 FILE *output
= handle2file
.Translate(log
, "w");
26 // we stop after 5 errors in a row
27 int number_errors
= 0;
28 for (int i
= 0; i
< 100000; ++i
) {
30 // Create the thread and leak the handle.
31 HANDLE thread
= ::CreateThread(NULL
, // Default security attributes
33 MyThreadBombimgFunction
,
35 0, // No creation flags
38 fprintf(output
, "[GRANTED] Creating thread with tid 0x%X\r\n", tid
);
39 ::CloseHandle(thread
);
42 fprintf(output
, "[BLOCKED] Creating thread. Error %d\r\n",
47 if (number_errors
>= 5) {
54 // Executes a complex mathematical operation forever in a loop. This function
55 // is used as entry point for the threads created by TestTakeAllCpu. It it
56 // designed to take all CPU on the processor where the thread is running.
57 // The return value is always 0.
58 DWORD WINAPI
TakeAllCpu(void *param
) {
59 UNREFERENCED_PARAMETER(param
);
66 cpt
= cpt
| (cpt
* cpt
);
70 void POCDLL_API
TestTakeAllCpu(HANDLE log
) {
71 HandleToFile handle2file
;
72 FILE *output
= handle2file
.Translate(log
, "w");
74 DWORD_PTR process_mask
= 0;
75 DWORD_PTR system_mask
= 0;
76 if (::GetProcessAffinityMask(::GetCurrentProcess(),
79 DWORD_PTR affinity_mask
= 1;
84 HANDLE thread
= ::CreateThread(NULL
, // Default security attributes.
88 0, // No creation flags.
90 ::SetThreadAffinityMask(thread
, affinity_mask
);
92 if (::SetThreadPriority(thread
, REALTIME_PRIORITY_CLASS
)) {
93 fprintf(output
, "[GRANTED] Set thread(%d) priority to Realtime\r\n",
96 fprintf(output
, "[BLOCKED] Set thread(%d) priority to Realtime\r\n",
100 ::CloseHandle(thread
);
102 affinity_mask
= affinity_mask
<< 1;
103 system_mask
= system_mask
>> 1;
106 fprintf(output
, "[ERROR] Cannot get affinity mask. Error %d\r\n",
111 void POCDLL_API
TestUseAllMemory(HANDLE log
) {
112 HandleToFile handle2file
;
113 FILE *output
= handle2file
.Translate(log
, "w");
115 int number_errors
= 0;
116 unsigned long memory_size
= 0;
118 DWORD
*ptr_to_leak
= reinterpret_cast<DWORD
*>(malloc(1024*256));
120 memory_size
+= (256);
126 // check if we have more than 5 errors in a row. If so, quit.
127 if (number_errors
>= 5) {
128 fprintf(output
, "[INFO] Created %lu kb of memory\r\n", memory_size
);
132 Sleep(5); // 5ms to be able to see the progression easily with taskmgr.
136 void POCDLL_API
TestCreateObjects(HANDLE log
) {
137 HandleToFile handle2file
;
138 FILE *output
= handle2file
.Translate(log
, "w");
143 for (int i
= 0; i
< 1000000; ++i
) {
144 if (::CreateMutex(NULL
, // Default security attributes.
145 TRUE
, // We are the initial owner.
150 if (::CreateJobObject(NULL
, // Default security attributes.
155 if (::CreateEvent(NULL
, // Default security attributes.
156 TRUE
, // Manual Reset.
157 TRUE
, // Object is signaled.
163 fprintf(output
, "[GRANTED] Created %d mutexes, %d jobs and %d events for "
164 "a total of %d objects out of 3 000 000\r\n", mutexes
, jobs
,
165 events
, mutexes
+ jobs
+ events
);
168 BOOL CALLBACK
EnumWindowCallback(HWND hwnd
, LPARAM output
) {
170 ::GetWindowThreadProcessId(hwnd
, &pid
);
171 if (pid
!= ::GetCurrentProcessId()) {
172 wchar_t window_title
[100 + 1] = {0};
173 ::GetWindowText(hwnd
, window_title
, 100);
174 fprintf(reinterpret_cast<FILE*>(output
),
175 "[GRANTED] Found window 0x%p with title %S\r\n",
184 // Enumerates all the windows on the system and call the function to try to
185 // close them. The goal of this function is to try to kill the system by
186 // closing all windows.
187 // "output" is the stream used for logging.
188 void POCDLL_API
TestCloseHWND(HANDLE log
) {
189 HandleToFile handle2file
;
190 FILE *output
= handle2file
.Translate(log
, "w");
192 ::EnumWindows(EnumWindowCallback
, PtrToLong(output
));
193 // TODO(nsylvain): find a way to know when the enum is finished