sandbox/win/src/handle_closer.cc

   1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/win/src/handle_closer.h"
   6
   7 #include "base/logging.h"
   8 #include "base/memory/scoped_ptr.h"
   9 #include "base/win/windows_version.h"
  10 #include "sandbox/win/src/interceptors.h"
  11 #include "sandbox/win/src/internal_types.h"
  12 #include "sandbox/win/src/nt_internals.h"
  13 #include "sandbox/win/src/process_thread_interception.h"
  14 #include "sandbox/win/src/win_utils.h"
  15
  16 namespace {
  17
  18 template<typename T> T RoundUpToWordSize(T v) {
  19   if (size_t mod = v % sizeof(size_t))
  20     v += sizeof(size_t) - mod;
  21   return v;
  22 }
  23
  24 template<typename T> T* RoundUpToWordSize(T* v) {
  25   return reinterpret_cast<T*>(RoundUpToWordSize(reinterpret_cast<size_t>(v)));
  26 }
  27
  28 }  // namespace
  29
  30 namespace sandbox {
  31
  32 // Memory buffer mapped from the parent, with the list of handles.
  33 SANDBOX_INTERCEPT HandleCloserInfo* g_handles_to_close;
  34
  35 HandleCloser::HandleCloser() {}
  36
  37 ResultCode HandleCloser::AddHandle(const char16* handle_type,
  38                                    const char16* handle_name) {
  39   if (!handle_type)
  40     return SBOX_ERROR_BAD_PARAMS;
  41
  42   HandleMap::iterator names = handles_to_close_.find(handle_type);
  43   if (names == handles_to_close_.end()) {  // We have no entries for this type.
  44     std::pair<HandleMap::iterator, bool> result = handles_to_close_.insert(
  45         HandleMap::value_type(handle_type, HandleMap::mapped_type()));
  46     names = result.first;
  47     if (handle_name)
  48       names->second.insert(handle_name);
  49   } else if (!handle_name) {  // Now we need to close all handles of this type.
  50     names->second.clear();
  51   } else if (!names->second.empty()) {  // Add another name for this type.
  52     names->second.insert(handle_name);
  53   }  // If we're already closing all handles of type then we're done.
  54
  55   return SBOX_ALL_OK;
  56 }
  57
  58 size_t HandleCloser::GetBufferSize() {
  59   size_t bytes_total = offsetof(HandleCloserInfo, handle_entries);
  60
  61   for (HandleMap::iterator i = handles_to_close_.begin();
  62        i != handles_to_close_.end(); ++i) {
  63     size_t bytes_entry = offsetof(HandleListEntry, handle_type) +
  64         (i->first.size() + 1) * sizeof(char16);
  65     for (HandleMap::mapped_type::iterator j = i->second.begin();
  66          j != i->second.end(); ++j) {
  67       bytes_entry += ((*j).size() + 1) * sizeof(char16);
  68     }
  69
  70     // Round up to the nearest multiple of word size.
  71     bytes_entry = RoundUpToWordSize(bytes_entry);
  72     bytes_total += bytes_entry;
  73   }
  74
  75   return bytes_total;
  76 }
  77
  78 bool HandleCloser::InitializeTargetHandles(TargetProcess* target) {
  79   // Do nothing on an empty list (global pointer already initialized to NULL).
  80   if (handles_to_close_.empty())
  81     return true;
  82
  83   size_t bytes_needed = GetBufferSize();
  84   scoped_ptr<size_t[]> local_buffer(
  85       new size_t[bytes_needed / sizeof(size_t)]);
  86
  87   if (!SetupHandleList(local_buffer.get(), bytes_needed))
  88     return false;
  89
  90   HANDLE child = target->Process();
  91
  92   // Allocate memory in the target process without specifying the address
  93   void* remote_data = ::VirtualAllocEx(child, NULL, bytes_needed,
  94                                        MEM_COMMIT, PAGE_READWRITE);
  95   if (NULL == remote_data)
  96     return false;
  97
  98   // Copy the handle buffer over.
  99   SIZE_T bytes_written;
 100   BOOL result = ::WriteProcessMemory(child, remote_data, local_buffer.get(),
 101                                      bytes_needed, &bytes_written);
 102   if (!result || bytes_written != bytes_needed) {
 103     ::VirtualFreeEx(child, remote_data, 0, MEM_RELEASE);
 104     return false;
 105   }
 106
 107   g_handles_to_close = reinterpret_cast<HandleCloserInfo*>(remote_data);
 108
 109   ResultCode rc = target->TransferVariable("g_handles_to_close",
 110                                            &g_handles_to_close,
 111                                            sizeof(g_handles_to_close));
 112
 113   return (SBOX_ALL_OK == rc);
 114 }
 115
 116 bool HandleCloser::SetupHandleList(void* buffer, size_t buffer_bytes) {
 117   ::ZeroMemory(buffer, buffer_bytes);
 118   HandleCloserInfo* handle_info = reinterpret_cast<HandleCloserInfo*>(buffer);
 119   handle_info->record_bytes = buffer_bytes;
 120   handle_info->num_handle_types = handles_to_close_.size();
 121
 122   char16* output = reinterpret_cast<char16*>(&handle_info->handle_entries[0]);
 123   char16* end = reinterpret_cast<char16*>(
 124       reinterpret_cast<char*>(buffer) + buffer_bytes);
 125   for (HandleMap::iterator i = handles_to_close_.begin();
 126        i != handles_to_close_.end(); ++i) {
 127     if (output >= end)
 128       return false;
 129     HandleListEntry* list_entry = reinterpret_cast<HandleListEntry*>(output);
 130     output = &list_entry->handle_type[0];
 131
 132     // Copy the typename and set the offset and count.
 133     i->first._Copy_s(output, i->first.size(), i->first.size());
 134     *(output += i->first.size()) = L'\0';
 135     output++;
 136     list_entry->offset_to_names = reinterpret_cast<char*>(output) -
 137         reinterpret_cast<char*>(list_entry);
 138     list_entry->name_count = i->second.size();
 139
 140     // Copy the handle names.
 141     for (HandleMap::mapped_type::iterator j = i->second.begin();
 142          j != i->second.end(); ++j) {
 143       output = std::copy((*j).begin(), (*j).end(), output) + 1;
 144     }
 145
 146     // Round up to the nearest multiple of sizeof(size_t).
 147     output = RoundUpToWordSize(output);
 148     list_entry->record_bytes = reinterpret_cast<char*>(output) -
 149         reinterpret_cast<char*>(list_entry);
 150   }
 151
 152   DCHECK_EQ(reinterpret_cast<size_t>(output), reinterpret_cast<size_t>(end));
 153   return output <= end;
 154 }
 155
 156 bool HandleCloser::SetupHandleInterceptions(InterceptionManager* manager) {
 157   // We need to intercept CreateThread if we're closing ALPC port clients.
 158   HandleMap::iterator names = handles_to_close_.find(L"ALPC Port");
 159   if (base::win::GetVersion() >= base::win::VERSION_VISTA &&
 160       names != handles_to_close_.end() &&
 161       (names->second.empty() || names->second.size() == 0)) {
 162     if (!INTERCEPT_EAT(manager, kKerneldllName, CreateThread,
 163                        CREATE_THREAD_ID, 28)) {
 164       return false;
 165     }
 166     if (!INTERCEPT_EAT(manager, kKerneldllName, GetUserDefaultLCID,
 167                        GET_USER_DEFAULT_LCID_ID, 4)) {
 168       return false;
 169     }
 170
 171     return true;
 172   }
 173
 174   return true;
 175 }
 176
 177 bool GetHandleName(HANDLE handle, string16* handle_name) {
 178   static NtQueryObject QueryObject = NULL;
 179   if (!QueryObject)
 180     ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
 181
 182   ULONG size = MAX_PATH;
 183   scoped_ptr<UNICODE_STRING, base::FreeDeleter> name;
 184   NTSTATUS result;
 185
 186   do {
 187     name.reset(static_cast<UNICODE_STRING*>(malloc(size)));
 188     DCHECK(name.get());
 189     result = QueryObject(handle, ObjectNameInformation, name.get(),
 190                          size, &size);
 191   } while (result == STATUS_INFO_LENGTH_MISMATCH ||
 192            result == STATUS_BUFFER_OVERFLOW);
 193
 194   if (NT_SUCCESS(result) && name->Buffer && name->Length)
 195     handle_name->assign(name->Buffer, name->Length / sizeof(wchar_t));
 196   else
 197     handle_name->clear();
 198
 199   return NT_SUCCESS(result);
 200 }
 201
 202 }  // namespace sandbox