sandbox/win/src/handle_closer_agent.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/win/src/handle_closer_agent.h"
   6
   7 #include "base/logging.h"
   8 #include "sandbox/win/src/nt_internals.h"
   9 #include "sandbox/win/src/win_utils.h"
  10
  11 namespace {
  12
  13 // Returns type infomation for an NT object. This routine is expected to be
  14 // called for invalid handles so it catches STATUS_INVALID_HANDLE exceptions
  15 // that can be generated when handle tracing is enabled.
  16 NTSTATUS QueryObjectTypeInformation(HANDLE handle,
  17                                     void* buffer,
  18                                     ULONG* size) {
  19   static NtQueryObject QueryObject = NULL;
  20   if (!QueryObject)
  21     ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
  22
  23   NTSTATUS status = STATUS_UNSUCCESSFUL;
  24   __try {
  25     status = QueryObject(handle, ObjectTypeInformation, buffer, *size, size);
  26   } __except(GetExceptionCode() == STATUS_INVALID_HANDLE ?
  27                  EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) {
  28     status = STATUS_INVALID_HANDLE;
  29   }
  30   return status;
  31 }
  32
  33 }  // namespace
  34
  35 namespace sandbox {
  36
  37 // Memory buffer mapped from the parent, with the list of handles.
  38 SANDBOX_INTERCEPT HandleCloserInfo* g_handles_to_close = NULL;
  39
  40 bool HandleCloserAgent::NeedsHandlesClosed() {
  41   return g_handles_to_close != NULL;
  42 }
  43
  44 HandleCloserAgent::HandleCloserAgent()
  45     : dummy_handle_(::CreateEvent(NULL, FALSE, FALSE, NULL)) {
  46 }
  47
  48 HandleCloserAgent::~HandleCloserAgent() {
  49 }
  50
  51 // Attempts to stuff |closed_handle| with a duplicated handle for a dummy Event
  52 // with no access. This should allow the handle to be closed, to avoid
  53 // generating EXCEPTION_INVALID_HANDLE on shutdown, but nothing else. For now
  54 // the only supported |type| is Event or File.
  55 bool HandleCloserAgent::AttemptToStuffHandleSlot(HANDLE closed_handle,
  56                                                  const base::string16& type) {
  57   // Only attempt to stuff Files and Events at the moment.
  58   if (type != L"Event" && type != L"File") {
  59     return true;
  60   }
  61
  62   if (!dummy_handle_.IsValid())
  63     return false;
  64
  65   // This should never happen, as g_dummy is created before closing to_stuff.
  66   DCHECK(dummy_handle_.Get() != closed_handle);
  67
  68   std::vector<HANDLE> to_close;
  69   HANDLE dup_dummy = NULL;
  70   size_t count = 16;
  71
  72   do {
  73     if (!::DuplicateHandle(::GetCurrentProcess(), dummy_handle_.Get(),
  74                            ::GetCurrentProcess(), &dup_dummy, 0, FALSE, 0))
  75       break;
  76     if (dup_dummy != closed_handle)
  77       to_close.push_back(dup_dummy);
  78   } while (count-- &&
  79            reinterpret_cast<uintptr_t>(dup_dummy) <
  80                reinterpret_cast<uintptr_t>(closed_handle));
  81
  82   for (auto h : to_close)
  83     ::CloseHandle(h);
  84
  85   // Useful to know when we're not able to stuff handles.
  86   DCHECK(dup_dummy == closed_handle);
  87
  88   return dup_dummy == closed_handle;
  89 }
  90
  91 // Reads g_handles_to_close and creates the lookup map.
  92 void HandleCloserAgent::InitializeHandlesToClose(bool* is_csrss_connected) {
  93   CHECK(g_handles_to_close != NULL);
  94
  95   // Default to connected state
  96   *is_csrss_connected = true;
  97
  98   // Grab the header.
  99   HandleListEntry* entry = g_handles_to_close->handle_entries;
 100   for (size_t i = 0; i < g_handles_to_close->num_handle_types; ++i) {
 101     // Set the type name.
 102     base::char16* input = entry->handle_type;
 103     if (!wcscmp(input, L"ALPC Port")) {
 104       *is_csrss_connected = false;
 105     }
 106     HandleMap::mapped_type& handle_names = handles_to_close_[input];
 107     input = reinterpret_cast<base::char16*>(reinterpret_cast<char*>(entry)
 108         + entry->offset_to_names);
 109     // Grab all the handle names.
 110     for (size_t j = 0; j < entry->name_count; ++j) {
 111       std::pair<HandleMap::mapped_type::iterator, bool> name
 112           = handle_names.insert(input);
 113       CHECK(name.second);
 114       input += name.first->size() + 1;
 115     }
 116
 117     // Move on to the next entry.
 118     entry = reinterpret_cast<HandleListEntry*>(reinterpret_cast<char*>(entry)
 119         + entry->record_bytes);
 120
 121     DCHECK(reinterpret_cast<base::char16*>(entry) >= input);
 122     DCHECK(reinterpret_cast<base::char16*>(entry) - input <
 123            sizeof(size_t) / sizeof(base::char16));
 124   }
 125
 126   // Clean up the memory we copied over.
 127   ::VirtualFree(g_handles_to_close, 0, MEM_RELEASE);
 128   g_handles_to_close = NULL;
 129 }
 130
 131 bool HandleCloserAgent::CloseHandles() {
 132   DWORD handle_count = UINT_MAX;
 133   const int kInvalidHandleThreshold = 100;
 134   const size_t kHandleOffset = 4;  // Handles are always a multiple of 4.
 135
 136   if (!::GetProcessHandleCount(::GetCurrentProcess(), &handle_count))
 137     return false;
 138
 139   // Set up buffers for the type info and the name.
 140   std::vector<BYTE> type_info_buffer(sizeof(OBJECT_TYPE_INFORMATION) +
 141                                      32 * sizeof(wchar_t));
 142   OBJECT_TYPE_INFORMATION* type_info =
 143       reinterpret_cast<OBJECT_TYPE_INFORMATION*>(&(type_info_buffer[0]));
 144   base::string16 handle_name;
 145   HANDLE handle = NULL;
 146   int invalid_count = 0;
 147
 148   // Keep incrementing until we hit the number of handles reported by
 149   // GetProcessHandleCount(). If we hit a very long sequence of invalid
 150   // handles we assume that we've run past the end of the table.
 151   while (handle_count && invalid_count < kInvalidHandleThreshold) {
 152     reinterpret_cast<size_t&>(handle) += kHandleOffset;
 153     NTSTATUS rc;
 154
 155     // Get the type name, reusing the buffer.
 156     ULONG size = static_cast<ULONG>(type_info_buffer.size());
 157     rc = QueryObjectTypeInformation(handle, type_info, &size);
 158     while (rc == STATUS_INFO_LENGTH_MISMATCH ||
 159            rc == STATUS_BUFFER_OVERFLOW) {
 160       type_info_buffer.resize(size + sizeof(wchar_t));
 161       type_info = reinterpret_cast<OBJECT_TYPE_INFORMATION*>(
 162           &(type_info_buffer[0]));
 163       rc = QueryObjectTypeInformation(handle, type_info, &size);
 164       // Leave padding for the nul terminator.
 165       if (NT_SUCCESS(rc) && size == type_info_buffer.size())
 166         rc = STATUS_INFO_LENGTH_MISMATCH;
 167     }
 168     if (!NT_SUCCESS(rc) || !type_info->Name.Buffer) {
 169       ++invalid_count;
 170       continue;
 171     }
 172
 173     --handle_count;
 174     type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] = L'\0';
 175
 176     // Check if we're looking for this type of handle.
 177     HandleMap::iterator result =
 178         handles_to_close_.find(type_info->Name.Buffer);
 179     if (result != handles_to_close_.end()) {
 180       HandleMap::mapped_type& names = result->second;
 181       // Empty set means close all handles of this type; otherwise check name.
 182       if (!names.empty()) {
 183         // Move on to the next handle if this name doesn't match.
 184         if (!GetHandleName(handle, &handle_name) || !names.count(handle_name))
 185           continue;
 186       }
 187
 188       if (!::SetHandleInformation(handle, HANDLE_FLAG_PROTECT_FROM_CLOSE, 0))
 189         return false;
 190       if (!::CloseHandle(handle))
 191         return false;
 192       // Attempt to stuff this handle with a new dummy Event.
 193       AttemptToStuffHandleSlot(handle, result->first);
 194     }
 195   }
 196
 197   return true;
 198 }
 199
 200 }  // namespace sandbox