| // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "sandbox/src/win_utils.h" |
| |
| #include <map> |
| |
| #include "base/logging.h" |
| #include "base/memory/scoped_ptr.h" |
| #include "sandbox/src/internal_types.h" |
| #include "sandbox/src/nt_internals.h" |
| |
| namespace { |
| |
| // Holds the information about a known registry key. |
| struct KnownReservedKey { |
| const wchar_t* name; |
| HKEY key; |
| }; |
| |
| // Contains all the known registry key by name and by handle. |
| const KnownReservedKey kKnownKey[] = { |
| { L"HKEY_CLASSES_ROOT", HKEY_CLASSES_ROOT }, |
| { L"HKEY_CURRENT_USER", HKEY_CURRENT_USER }, |
| { L"HKEY_LOCAL_MACHINE", HKEY_LOCAL_MACHINE}, |
| { L"HKEY_USERS", HKEY_USERS}, |
| { L"HKEY_PERFORMANCE_DATA", HKEY_PERFORMANCE_DATA}, |
| { L"HKEY_PERFORMANCE_TEXT", HKEY_PERFORMANCE_TEXT}, |
| { L"HKEY_PERFORMANCE_NLSTEXT", HKEY_PERFORMANCE_NLSTEXT}, |
| { L"HKEY_CURRENT_CONFIG", HKEY_CURRENT_CONFIG}, |
| { L"HKEY_DYN_DATA", HKEY_DYN_DATA} |
| }; |
| |
| // Returns true if the provided path points to a pipe. |
| bool IsPipe(const std::wstring& path) { |
| size_t start = 0; |
| if (0 == path.compare(0, sandbox::kNTPrefixLen, sandbox::kNTPrefix)) |
| start = sandbox::kNTPrefixLen; |
| |
| const wchar_t kPipe[] = L"pipe\\"; |
| return (0 == path.compare(start, arraysize(kPipe) - 1, kPipe)); |
| } |
| |
| } // namespace |
| |
| namespace sandbox { |
| |
| HKEY GetReservedKeyFromName(const std::wstring& name) { |
| for (size_t i = 0; i < arraysize(kKnownKey); ++i) { |
| if (name == kKnownKey[i].name) |
| return kKnownKey[i].key; |
| } |
| |
| return NULL; |
| } |
| |
| bool ResolveRegistryName(std::wstring name, std::wstring* resolved_name) { |
| for (size_t i = 0; i < arraysize(kKnownKey); ++i) { |
| if (name.find(kKnownKey[i].name) == 0) { |
| HKEY key; |
| DWORD disposition; |
| if (ERROR_SUCCESS != ::RegCreateKeyEx(kKnownKey[i].key, L"", 0, NULL, 0, |
| MAXIMUM_ALLOWED, NULL, &key, |
| &disposition)) |
| return false; |
| |
| bool result = GetPathFromHandle(key, resolved_name); |
| ::RegCloseKey(key); |
| |
| if (!result) |
| return false; |
| |
| *resolved_name += name.substr(wcslen(kKnownKey[i].name)); |
| return true; |
| } |
| } |
| |
| return false; |
| } |
| |
| DWORD IsReparsePoint(const std::wstring& full_path, bool* result) { |
| std::wstring path = full_path; |
| |
| // Remove the nt prefix. |
| if (0 == path.compare(0, kNTPrefixLen, kNTPrefix)) |
| path = path.substr(kNTPrefixLen); |
| |
| // Check if it's a pipe. We can't query the attributes of a pipe. |
| if (IsPipe(path)) { |
| *result = FALSE; |
| return ERROR_SUCCESS; |
| } |
| |
| std::wstring::size_type last_pos = std::wstring::npos; |
| |
| do { |
| path = path.substr(0, last_pos); |
| |
| DWORD attributes = ::GetFileAttributes(path.c_str()); |
| if (INVALID_FILE_ATTRIBUTES == attributes) { |
| DWORD error = ::GetLastError(); |
| if (error != ERROR_FILE_NOT_FOUND && |
| error != ERROR_PATH_NOT_FOUND && |
| error != ERROR_INVALID_NAME) { |
| // Unexpected error. |
| NOTREACHED(); |
| return error; |
| } |
| } else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) { |
| // This is a reparse point. |
| *result = true; |
| return ERROR_SUCCESS; |
| } |
| |
| last_pos = path.rfind(L'\\'); |
| } while (last_pos != std::wstring::npos); |
| |
| *result = false; |
| return ERROR_SUCCESS; |
| } |
| |
| // We get a |full_path| of the form \??\c:\some\foo\bar, and the name that |
| // we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar. |
| bool SameObject(HANDLE handle, const wchar_t* full_path) { |
| std::wstring path(full_path); |
| DCHECK(!path.empty()); |
| |
| // Check if it's a pipe. |
| if (IsPipe(path)) |
| return true; |
| |
| std::wstring actual_path; |
| if (!GetPathFromHandle(handle, &actual_path)) |
| return false; |
| |
| // This may end with a backslash. |
| const wchar_t kBackslash = '\\'; |
| if (path[path.length() - 1] == kBackslash) |
| path = path.substr(0, path.length() - 1); |
| |
| // Perfect match (case-insesitive check). |
| if (0 == _wcsicmp(actual_path.c_str(), path.c_str())) |
| return true; |
| |
| // Look for the drive letter. |
| size_t colon_pos = path.find(L':'); |
| if (colon_pos == 0 || colon_pos == std::wstring::npos) |
| return false; |
| |
| // Only one character for the drive. |
| if (colon_pos > 1 && path[colon_pos - 2] != kBackslash) |
| return false; |
| |
| // We only need 3 chars, but let's alloc a buffer for four. |
| wchar_t drive[4] = {0}; |
| wchar_t vol_name[MAX_PATH]; |
| memcpy(drive, &path[colon_pos - 1], 2 * sizeof(*drive)); |
| |
| // We'll get a double null terminated string. |
| DWORD vol_length = ::QueryDosDeviceW(drive, vol_name, MAX_PATH); |
| if (vol_length < 2 || vol_length == MAX_PATH) |
| return false; |
| |
| // Ignore the nulls at the end. |
| vol_length = static_cast<DWORD>(wcslen(vol_name)); |
| |
| // The two paths should be the same length. |
| if (vol_length + path.size() - (colon_pos + 1) != actual_path.size()) |
| return false; |
| |
| // Check up to the drive letter. |
| if (0 != _wcsnicmp(actual_path.c_str(), vol_name, vol_length)) |
| return false; |
| |
| // Check the path after the drive letter. |
| if (0 != _wcsicmp(&actual_path[vol_length], &path[colon_pos + 1])) |
| return false; |
| |
| return true; |
| } |
| |
| bool ConvertToLongPath(const std::wstring& short_path, |
| std::wstring* long_path) { |
| // Check if the path is a NT path. |
| bool is_nt_path = false; |
| std::wstring path = short_path; |
| if (0 == path.compare(0, kNTPrefixLen, kNTPrefix)) { |
| path = path.substr(kNTPrefixLen); |
| is_nt_path = true; |
| } |
| |
| DWORD size = MAX_PATH; |
| scoped_array<wchar_t> long_path_buf(new wchar_t[size]); |
| |
| DWORD return_value = ::GetLongPathName(path.c_str(), long_path_buf.get(), |
| size); |
| while (return_value >= size) { |
| size *= 2; |
| long_path_buf.reset(new wchar_t[size]); |
| return_value = ::GetLongPathName(path.c_str(), long_path_buf.get(), size); |
| } |
| |
| DWORD last_error = ::GetLastError(); |
| if (0 == return_value && (ERROR_FILE_NOT_FOUND == last_error || |
| ERROR_PATH_NOT_FOUND == last_error || |
| ERROR_INVALID_NAME == last_error)) { |
| // The file does not exist, but maybe a sub path needs to be expanded. |
| std::wstring::size_type last_slash = path.rfind(L'\\'); |
| if (std::wstring::npos == last_slash) |
| return false; |
| |
| std::wstring begin = path.substr(0, last_slash); |
| std::wstring end = path.substr(last_slash); |
| if (!ConvertToLongPath(begin, &begin)) |
| return false; |
| |
| // Ok, it worked. Let's reset the return value. |
| path = begin + end; |
| return_value = 1; |
| } else if (0 != return_value) { |
| path = long_path_buf.get(); |
| } |
| |
| if (return_value != 0) { |
| if (is_nt_path) { |
| *long_path = kNTPrefix; |
| *long_path += path; |
| } else { |
| *long_path = path; |
| } |
| |
| return true; |
| } |
| |
| return false; |
| } |
| |
| bool GetPathFromHandle(HANDLE handle, std::wstring* path) { |
| NtQueryObjectFunction NtQueryObject = NULL; |
| ResolveNTFunctionPtr("NtQueryObject", &NtQueryObject); |
| |
| OBJECT_NAME_INFORMATION initial_buffer; |
| OBJECT_NAME_INFORMATION* name = &initial_buffer; |
| ULONG size = sizeof(initial_buffer); |
| // Query the name information a first time to get the size of the name. |
| NTSTATUS status = NtQueryObject(handle, ObjectNameInformation, name, size, |
| &size); |
| |
| scoped_ptr<OBJECT_NAME_INFORMATION> name_ptr; |
| if (size) { |
| name = reinterpret_cast<OBJECT_NAME_INFORMATION*>(new BYTE[size]); |
| name_ptr.reset(name); |
| |
| // Query the name information a second time to get the name of the |
| // object referenced by the handle. |
| status = NtQueryObject(handle, ObjectNameInformation, name, size, &size); |
| } |
| |
| if (STATUS_SUCCESS != status) |
| return false; |
| |
| path->assign(name->ObjectName.Buffer, name->ObjectName.Length / |
| sizeof(name->ObjectName.Buffer[0])); |
| return true; |
| } |
| |
| bool GetNtPathFromWin32Path(const std::wstring& path, std::wstring* nt_path) { |
| HANDLE file = ::CreateFileW(path.c_str(), 0, |
| FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, |
| OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL); |
| if (file == INVALID_HANDLE_VALUE) |
| return false; |
| bool rv = GetPathFromHandle(file, nt_path); |
| ::CloseHandle(file); |
| return rv; |
| } |
| |
| bool WriteProtectedChildMemory(HANDLE child_process, void* address, |
| const void* buffer, size_t length) { |
| // First, remove the protections. |
| DWORD old_protection; |
| if (!::VirtualProtectEx(child_process, address, length, |
| PAGE_WRITECOPY, &old_protection)) |
| return false; |
| |
| SIZE_T written; |
| bool ok = ::WriteProcessMemory(child_process, address, buffer, length, |
| &written) && (length == written); |
| |
| // Always attempt to restore the original protection. |
| if (!::VirtualProtectEx(child_process, address, length, |
| old_protection, &old_protection)) |
| return false; |
| |
| return ok; |
| } |
| |
| }; // namespace sandbox |
| |
| // TODO(jschuh): http://crbug.com/11789 |
| // I'm guessing we have a race where some "security" software is messing |
| // with ntdll/imports underneath us. So, we retry a few times, and in the |
| // worst case we sleep briefly before a few more attempts. (Normally sleeping |
| // would be very bad, but it's better than crashing in this case.) |
| void ResolveNTFunctionPtr(const char* name, void* ptr) { |
| const int max_tries = 5; |
| const int sleep_threshold = 2; |
| |
| static HMODULE ntdll = ::GetModuleHandle(sandbox::kNtdllName); |
| |
| FARPROC* function_ptr = reinterpret_cast<FARPROC*>(ptr); |
| *function_ptr = ::GetProcAddress(ntdll, name); |
| |
| for (int tries = 1; !(*function_ptr) && tries < max_tries; ++tries) { |
| if (tries >= sleep_threshold) |
| ::Sleep(1); |
| ntdll = ::GetModuleHandle(sandbox::kNtdllName); |
| *function_ptr = ::GetProcAddress(ntdll, name); |
| } |
| |
| CHECK(*function_ptr); |
| } |