search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll src/third_party/skia d32087a:1052f51
[chromium-blink-merge.git] / chrome_elf / blacklist / blacklist.cc
blob616c79399addc7cf6481cf69c15d581ef392c43d
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome_elf/blacklist/blacklist.h"
6
7 #include <assert.h>
8 #include <string.h>
9
10 #include <vector>
11
12 #include "base/basictypes.h"
13 #include "chrome_elf/blacklist/blacklist_interceptions.h"
14 #include "chrome_elf/chrome_elf_constants.h"
15 #include "chrome_elf/chrome_elf_util.h"
16 #include "chrome_elf/thunk_getter.h"
17 #include "sandbox/win/src/interception_internal.h"
18 #include "sandbox/win/src/internal_types.h"
19 #include "sandbox/win/src/service_resolver.h"
20
21 // http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
22 extern "C" IMAGE_DOS_HEADER __ImageBase;
23
24 namespace blacklist{
25
26 // The DLLs listed here are known (or under strong suspicion) of causing crashes
27 // when they are loaded in the browser. DLLs should only be added to this list
28 // if there is nothing else Chrome can do to prevent those crashes.
29 // For more information about how this list is generated, and how to get off
30 // of it, see:
31 // https://sites.google.com/a/chromium.org/dev/Home/third-party-developers
32 // NOTE: Please remember to update the DllHash enum in histograms.xml when
33 // adding a new value to the blacklist.
34 const wchar_t* g_troublesome_dlls[kTroublesomeDllsMaxCount] = {
35 L"949ba8b6a9.dll", // Coupon Time.
36 L"activedetect32.dll", // Lenovo One Key Theater.
37 // See crbug.com/379218.
38 L"activedetect64.dll", // Lenovo One Key Theater.
39 L"bitguard.dll", // Unknown (suspected malware).
40 L"bsvc.dll", // Unknown (suspected adware).
41 L"chrmxtn.dll", // Unknown (keystroke logger).
42 L"cplushook.dll", // Unknown (suspected malware).
43 L"crdli.dll", // Linkury Inc.
44 L"crdli64.dll", // Linkury Inc.
45 L"datamngr.dll", // Unknown (suspected adware).
46 L"dpinterface32.dll", // Unknown (suspected adware).
47 L"explorerex.dll", // Unknown (suspected adware).
48 L"hk.dll", // Unknown (keystroke logger).
49 L"libapi2hook.dll", // V-Bates.
50 L"libinject.dll", // V-Bates.
51 L"libinject2.dll", // V-Bates.
52 L"libredir2.dll", // V-Bates.
53 L"libsvn_tsvn32.dll", // TortoiseSVN.
54 L"libwinhook.dll", // V-Bates.
55 L"lmrn.dll", // Unknown.
56 L"minisp.dll", // Unknown (suspected malware).
57 L"minisp32.dll", // Unknown (suspected malware).
58 L"offerswizarddll.dll", // Unknown (suspected adware).
59 L"safetynut.dll", // Unknown (suspected adware).
60 L"smdmf.dll", // Unknown (suspected adware).
61 L"spappsv32.dll", // Unknown (suspected adware).
62 L"systemk.dll", // Unknown (suspected adware).
63 L"vntsrv.dll", // Virtual New Tab by APN LLC.
64 L"wajam_goblin_64.dll", // Wajam Internet Technologies.
65 L"wajam_goblin.dll", // Wajam Internet Technologies.
66 L"windowsapihookdll32.dll", // Lenovo One Key Theater.
67 // See crbug.com/379218.
68 L"windowsapihookdll64.dll", // Lenovo One Key Theater.
69 L"virtualcamera.ax", // %PROGRAMFILES%\ASUS\VirtualCamera.
70 // See crbug.com/422522.
71 L"ycwebcamerasource.ax", // CyberLink Youcam, crbug.com/424159
72 // Keep this null pointer here to mark the end of the list.
73 NULL,
74 };
75
76 bool g_blocked_dlls[kTroublesomeDllsMaxCount] = {};
77 int g_num_blocked_dlls = 0;
78
79 } // namespace blacklist
80
81 // Allocate storage for thunks in a page of this module to save on doing
82 // an extra allocation at run time.
83 #pragma section(".crthunk",read,execute)
84 __declspec(allocate(".crthunk")) sandbox::ThunkData g_thunk_storage;
85
86 namespace {
87
88 // Record if the blacklist was successfully initialized so processes can easily
89 // determine if the blacklist is enabled for them.
90 bool g_blacklist_initialized = false;
91
92 // Helper to set DWORD registry values.
93 DWORD SetDWValue(HKEY* key, const wchar_t* property, DWORD value) {
94 return ::RegSetValueEx(*key,
95 property,
96 0,
97 REG_DWORD,
98 reinterpret_cast<LPBYTE>(&value),
99 sizeof(value));
100 }
101
102 bool GenerateStateFromBeaconAndAttemptCount(HKEY* key, DWORD blacklist_state) {
103 LONG result = 0;
104 if (blacklist_state == blacklist::BLACKLIST_ENABLED) {
105 // If the blacklist succeeded on the previous run reset the failure
106 // counter.
107 return (SetDWValue(key,
108 blacklist::kBeaconAttemptCount,
109 static_cast<DWORD>(0)) == ERROR_SUCCESS);
110 } else {
111 // Some part of the blacklist setup failed last time. If this has occured
112 // blacklist::kBeaconMaxAttempts times in a row we switch the state to
113 // failed and skip setting up the blacklist.
114 DWORD attempt_count = 0;
115 DWORD attempt_count_size = sizeof(attempt_count);
116 result = ::RegQueryValueEx(*key,
117 blacklist::kBeaconAttemptCount,
118 0,
119 NULL,
120 reinterpret_cast<LPBYTE>(&attempt_count),
121 &attempt_count_size);
122
123 if (result == ERROR_FILE_NOT_FOUND)
124 attempt_count = 0;
125 else if (result != ERROR_SUCCESS)
126 return false;
127
128 ++attempt_count;
129 SetDWValue(key, blacklist::kBeaconAttemptCount, attempt_count);
130
131 if (attempt_count >= blacklist::kBeaconMaxAttempts) {
132 blacklist_state = blacklist::BLACKLIST_SETUP_FAILED;
133 SetDWValue(key, blacklist::kBeaconState, blacklist_state);
134 }
135
136 return false;
137 }
138 }
139
140 } // namespace
141
142 namespace blacklist {
143
144 #if defined(_WIN64)
145 // Allocate storage for the pointer to the old NtMapViewOfSectionFunction.
146 #pragma section(".oldntmap",write,read)
147 __declspec(allocate(".oldntmap"))
148 NtMapViewOfSectionFunction g_nt_map_view_of_section_func = NULL;
149 #endif
150
151 bool LeaveSetupBeacon() {
152 HKEY key = NULL;
153 DWORD disposition = 0;
154 LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
155 kRegistryBeaconPath,
156 0,
157 NULL,
158 REG_OPTION_NON_VOLATILE,
159 KEY_QUERY_VALUE | KEY_SET_VALUE,
160 NULL,
161 &key,
162 &disposition);
163 if (result != ERROR_SUCCESS)
164 return false;
165
166 // Retrieve the current blacklist state.
167 DWORD blacklist_state = BLACKLIST_STATE_MAX;
168 DWORD blacklist_state_size = sizeof(blacklist_state);
169 DWORD type = 0;
170 result = ::RegQueryValueEx(key,
171 kBeaconState,
172 0,
173 &type,
174 reinterpret_cast<LPBYTE>(&blacklist_state),
175 &blacklist_state_size);
176
177 if (result != ERROR_SUCCESS || blacklist_state == BLACKLIST_DISABLED ||
178 type != REG_DWORD) {
179 ::RegCloseKey(key);
180 return false;
181 }
182
183 if (!GenerateStateFromBeaconAndAttemptCount(&key, blacklist_state)) {
184 ::RegCloseKey(key);
185 return false;
186 }
187
188 result = SetDWValue(&key, kBeaconState, BLACKLIST_SETUP_RUNNING);
189 ::RegCloseKey(key);
190
191 return (result == ERROR_SUCCESS);
192 }
193
194 bool ResetBeacon() {
195 HKEY key = NULL;
196 DWORD disposition = 0;
197 LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
198 kRegistryBeaconPath,
199 0,
200 NULL,
201 REG_OPTION_NON_VOLATILE,
202 KEY_QUERY_VALUE | KEY_SET_VALUE,
203 NULL,
204 &key,
205 &disposition);
206 if (result != ERROR_SUCCESS)
207 return false;
208
209 DWORD blacklist_state = BLACKLIST_STATE_MAX;
210 DWORD blacklist_state_size = sizeof(blacklist_state);
211 DWORD type = 0;
212 result = ::RegQueryValueEx(key,
213 kBeaconState,
214 0,
215 &type,
216 reinterpret_cast<LPBYTE>(&blacklist_state),
217 &blacklist_state_size);
218
219 if (result != ERROR_SUCCESS || type != REG_DWORD) {
220 ::RegCloseKey(key);
221 return false;
222 }
223
224 // Reaching this point with the setup running state means the setup did not
225 // crash, so we reset to enabled. Any other state indicates that setup was
226 // skipped; in that case we leave the state alone for later recording.
227 if (blacklist_state == BLACKLIST_SETUP_RUNNING)
228 result = SetDWValue(&key, kBeaconState, BLACKLIST_ENABLED);
229
230 ::RegCloseKey(key);
231 return (result == ERROR_SUCCESS);
232 }
233
234 int BlacklistSize() {
235 int size = -1;
236 while (blacklist::g_troublesome_dlls[++size] != NULL) {}
237
238 return size;
239 }
240
241 bool IsBlacklistInitialized() {
242 return g_blacklist_initialized;
243 }
244
245 int GetBlacklistIndex(const wchar_t* dll_name) {
246 for (int i = 0; i < kTroublesomeDllsMaxCount && g_troublesome_dlls[i]; ++i) {
247 if (_wcsicmp(dll_name, g_troublesome_dlls[i]) == 0)
248 return i;
249 }
250 return -1;
251 }
252
253 bool AddDllToBlacklist(const wchar_t* dll_name) {
254 int blacklist_size = BlacklistSize();
255 // We need to leave one space at the end for the null pointer.
256 if (blacklist_size + 1 >= kTroublesomeDllsMaxCount)
257 return false;
258 for (int i = 0; i < blacklist_size; ++i) {
259 if (!_wcsicmp(g_troublesome_dlls[i], dll_name))
260 return true;
261 }
262
263 // Copy string to blacklist.
264 wchar_t* str_buffer = new wchar_t[wcslen(dll_name) + 1];
265 wcscpy(str_buffer, dll_name);
266
267 g_troublesome_dlls[blacklist_size] = str_buffer;
268 g_blocked_dlls[blacklist_size] = false;
269 return true;
270 }
271
272 bool RemoveDllFromBlacklist(const wchar_t* dll_name) {
273 int blacklist_size = BlacklistSize();
274 for (int i = 0; i < blacklist_size; ++i) {
275 if (!_wcsicmp(g_troublesome_dlls[i], dll_name)) {
276 // Found the thing to remove. Delete it then replace it with the last
277 // element.
278 delete[] g_troublesome_dlls[i];
279 g_troublesome_dlls[i] = g_troublesome_dlls[blacklist_size - 1];
280 g_troublesome_dlls[blacklist_size - 1] = NULL;
281
282 // Also update the stats recording if we have blocked this dll or not.
283 if (g_blocked_dlls[i])
284 --g_num_blocked_dlls;
285 g_blocked_dlls[i] = g_blocked_dlls[blacklist_size - 1];
286 return true;
287 }
288 }
289 return false;
290 }
291
292 // TODO(csharp): Maybe store these values in the registry so we can
293 // still report them if Chrome crashes early.
294 void SuccessfullyBlocked(const wchar_t** blocked_dlls, int* size) {
295 if (size == NULL)
296 return;
297
298 // If the array isn't valid or big enough, just report the size it needs to
299 // be and return.
300 if (blocked_dlls == NULL && *size < g_num_blocked_dlls) {
301 *size = g_num_blocked_dlls;
302 return;
303 }
304
305 *size = g_num_blocked_dlls;
306
307 int strings_to_fill = 0;
308 for (int i = 0; strings_to_fill < g_num_blocked_dlls && g_troublesome_dlls[i];
309 ++i) {
310 if (g_blocked_dlls[i]) {
311 blocked_dlls[strings_to_fill] = g_troublesome_dlls[i];
312 ++strings_to_fill;
313 }
314 }
315 }
316
317 void BlockedDll(size_t blocked_index) {
318 assert(blocked_index < kTroublesomeDllsMaxCount);
319
320 if (!g_blocked_dlls[blocked_index] &&
321 blocked_index < kTroublesomeDllsMaxCount) {
322 ++g_num_blocked_dlls;
323 g_blocked_dlls[blocked_index] = true;
324 }
325 }
326
327 bool Initialize(bool force) {
328 // Check to see that we found the functions we need in ntdll.
329 if (!InitializeInterceptImports())
330 return false;
331
332 // Check to see if this is a non-browser process, abort if so.
333 if (IsNonBrowserProcess())
334 return false;
335
336 // Check to see if the blacklist beacon is still set to running (indicating a
337 // failure) or disabled, and abort if so.
338 if (!force && !LeaveSetupBeacon())
339 return false;
340
341 // It is possible for other dlls to have already patched code by now and
342 // attempting to patch their code might result in crashes.
343 const bool kRelaxed = false;
344
345 // Create a thunk via the appropriate ServiceResolver instance.
346 sandbox::ServiceResolverThunk* thunk = GetThunk(kRelaxed);
347
348 // Don't try blacklisting on unsupported OS versions.
349 if (!thunk)
350 return false;
351
352 BYTE* thunk_storage = reinterpret_cast<BYTE*>(&g_thunk_storage);
353
354 // Mark the thunk storage as readable and writeable, since we
355 // ready to write to it.
356 DWORD old_protect = 0;
357 if (!VirtualProtect(&g_thunk_storage,
358 sizeof(g_thunk_storage),
359 PAGE_EXECUTE_READWRITE,
360 &old_protect)) {
361 return false;
362 }
363
364 thunk->AllowLocalPatches();
365
366 // We declare this early so it can be used in the 64-bit block below and
367 // still work on 32-bit build when referenced at the end of the function.
368 BOOL page_executable = false;
369
370 // Replace the default NtMapViewOfSection with our patched version.
371 #if defined(_WIN64)
372 NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
373 reinterpret_cast<void*>(&__ImageBase),
374 "NtMapViewOfSection",
375 NULL,
376 &blacklist::BlNtMapViewOfSection64,
377 thunk_storage,
378 sizeof(sandbox::ThunkData),
379 NULL);
380
381 // Keep a pointer to the original code, we don't have enough space to
382 // add it directly to the call.
383 g_nt_map_view_of_section_func = reinterpret_cast<NtMapViewOfSectionFunction>(
384 thunk_storage);
385
386 // Ensure that the pointer to the old function can't be changed.
387 page_executable = VirtualProtect(&g_nt_map_view_of_section_func,
388 sizeof(g_nt_map_view_of_section_func),
389 PAGE_EXECUTE_READ,
390 &old_protect);
391 #else
392 NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
393 reinterpret_cast<void*>(&__ImageBase),
394 "NtMapViewOfSection",
395 NULL,
396 &blacklist::BlNtMapViewOfSection,
397 thunk_storage,
398 sizeof(sandbox::ThunkData),
399 NULL);
400 #endif
401 delete thunk;
402
403 // Record if we have initialized the blacklist.
404 g_blacklist_initialized = NT_SUCCESS(ret);
405
406 // Mark the thunk storage as executable and prevent any future writes to it.
407 page_executable = page_executable && VirtualProtect(&g_thunk_storage,
408 sizeof(g_thunk_storage),
409 PAGE_EXECUTE_READ,
410 &old_protect);
411
412 AddDllsFromRegistryToBlacklist();
413
414 return NT_SUCCESS(ret) && page_executable;
415 }
416
417 void AddDllsFromRegistryToBlacklist() {
418 HKEY key = NULL;
419 LONG result = ::RegOpenKeyEx(HKEY_CURRENT_USER,
420 kRegistryFinchListPath,
421 0,
422 KEY_QUERY_VALUE | KEY_SET_VALUE,
423 &key);
424
425 if (result != ERROR_SUCCESS)
426 return;
427
428 // We add dlls from the registry to the blacklist.
429 DWORD value_len;
430 DWORD name_len = MAX_PATH;
431 std::vector<wchar_t> name_buffer(name_len);
432 for (int i = 0; result == ERROR_SUCCESS; ++i) {
433 name_len = MAX_PATH;
434 value_len = 0;
435 result = ::RegEnumValue(
436 key, i, &name_buffer[0], &name_len, NULL, NULL, NULL, &value_len);
437 if (result != ERROR_SUCCESS)
438 break;
439
440 name_len = name_len + 1;
441 value_len = value_len + 1;
442 std::vector<wchar_t> value_buffer(value_len);
443 result = ::RegEnumValue(key, i, &name_buffer[0], &name_len, NULL, NULL,
444 reinterpret_cast<BYTE*>(&value_buffer[0]),
445 &value_len);
446 if (result != ERROR_SUCCESS)
447 break;
448 value_buffer[value_len - 1] = L'\0';
449 AddDllToBlacklist(&value_buffer[0]);
450 }
451
452 ::RegCloseKey(key);
453 return;
454 }
455
456 } // namespace blacklist