Enable DEP earlier on Vista and below

We can't enable DEP at launch prior to Win7, but we can queue an APC to enable immediately after the loader finishes.

BUG=147752

Review URL: https://chromiumcodereview.appspot.com/10944015

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@162293 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 29 insertions, 29 deletions

diff --git a/sandbox/win/src/process_mitigations.cc b/sandbox/win/src/process_mitigations.cc
index f569479..c77ba38 100644
--- a/sandbox/win/src/process_mitigations.cc
+++ b/sandbox/win/src/process_mitigations.cc
@@ -6,7 +6,9 @@
 
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/nt_internals.h"
+#include "sandbox/win/src/sandbox_types.h"
 #include "sandbox/win/src/sandbox_utils.h"
+#include "sandbox/win/src/target_process.h"
 #include "sandbox/win/src/win_utils.h"
 
 namespace {
@@ -22,6 +24,11 @@ typedef BOOL (WINAPI *SetProcessMitigationPolicyFunction)(
 typedef BOOL (WINAPI *SetDefaultDllDirectoriesFunction)(
     DWORD DirectoryFlags);
 
+void CALLBACK ApplyMitigationsCallback(ULONG_PTR flags) {
+  if (!sandbox::ApplyProcessMitigationsToCurrentProcess(flags))
+    ::TerminateProcess(::GetCurrentProcess(), sandbox::SBOX_FATAL_MITIGATION);
+}
+
 }  // namespace
 
 namespace sandbox {
@@ -245,42 +252,24 @@ void ConvertProcessMitigationsToPolicy(MitigationFlags flags,
 }
 
 MitigationFlags FilterPostStartupProcessMitigations(MitigationFlags flags) {
-  // Anything prior to XP SP2.
-  if (!IsXPSP2OrLater())
-    return 0;
-
   base::win::Version version = base::win::GetVersion();
 
-  // Windows XP SP2+.
   if (version < base::win::VERSION_VISTA) {
-    return flags & (MITIGATION_DEP |
-                    MITIGATION_DEP_NO_ATL_THUNK);
-
-  // Windows Vista
-  if (version < base::win::VERSION_WIN7) {
-    return flags & (MITIGATION_DEP |
-                    MITIGATION_DEP_NO_ATL_THUNK |
-                    MITIGATION_BOTTOM_UP_ASLR |
-                    MITIGATION_DLL_SEARCH_ORDER |
-                    MITIGATION_HEAP_TERMINATE);
-  }
+    return 0;
 
-  // Windows 7 and Vista.
   } else if (version < base::win::VERSION_WIN8) {
-    return flags & (MITIGATION_BOTTOM_UP_ASLR |
-                    MITIGATION_DLL_SEARCH_ORDER |
+    return flags & (MITIGATION_DLL_SEARCH_ORDER |
                     MITIGATION_HEAP_TERMINATE);
   }
 
   // Windows 8 and above.
-  return flags & (MITIGATION_BOTTOM_UP_ASLR |
-                  MITIGATION_DLL_SEARCH_ORDER);
+  return flags & (MITIGATION_DLL_SEARCH_ORDER);
 }
 
-bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process,
-                                               MitigationFlags flags) {
-// This is a hack to fake a weak bottom-up ASLR on 32-bit Windows.
+bool ApplyProcessMitigationsToSuspendedTarget(TargetProcess* target,
+                                              MitigationFlags flags) {
 #if !defined(_WIN64)
+  // This is a hack to fake a weak bottom-up ASLR on 32-bit Windows.
   if (flags & MITIGATION_BOTTOM_UP_ASLR) {
     unsigned int limit;
     rand_s(&limit);
@@ -288,6 +277,7 @@ bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process,
     const size_t kMask64k = 0xFFFF;
     // Random range (512k-16.5mb) in 64k steps.
     const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k);
+    HANDLE process = target->Process();
     while (ptr < end) {
       MEMORY_BASIC_INFORMATION memory_info;
       if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
@@ -299,6 +289,16 @@ bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process,
       ptr += size;
     }
   }
+
+  // Since the process is suspended, we can schedule an APC to set the DEP
+  // policy immediately after then loader finishes.
+  ULONG_PTR dep_flags = flags & (MITIGATION_DEP | MITIGATION_DEP_NO_ATL_THUNK);
+  if (dep_flags && base::win::GetVersion() < base::win::VERSION_WIN7) {
+    if (!::QueueUserAPC(ApplyMitigationsCallback, target->MainThread(),
+                        static_cast<ULONG_PTR>(dep_flags))) {
+      return false;
+    }
+  }
 #endif
 
   return true;
diff --git a/sandbox/win/src/process_mitigations.h b/sandbox/win/src/process_mitigations.h
index 9039ad6..4089b6d 100644
--- a/sandbox/win/src/process_mitigations.h
+++ b/sandbox/win/src/process_mitigations.h
@@ -12,6 +12,8 @@
 
 namespace sandbox {
 
+class TargetProcess;
+
 // Sets the mitigation policy for the current process, ignoring any settings
 // that are invalid for the current version of Windows.
 bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags);
@@ -29,8 +31,8 @@ void ConvertProcessMitigationsToPolicy(MitigationFlags flags,
 
 // Adds mitigations that need to be performed on the suspended target process
 // before execution begins.
-bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process,
-                                               MitigationFlags flags);
+bool ApplyProcessMitigationsToSuspendedTarget(TargetProcess* target,
+                                              MitigationFlags flags);
 
 // Returns true if all the supplied flags can be set after a process starts.
 bool CanSetProcessMitigationsPostStartup(MitigationFlags flags);
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc
index 10ac642..d56effb 100644
--- a/sandbox/win/src/sandbox_policy_base.cc
+++ b/sandbox/win/src/sandbox_policy_base.cc
@@ -482,10 +482,8 @@ bool PolicyBase::AddTarget(TargetProcess* target) {
   if (NULL != policy_)
     policy_maker_->Done();
 
-  if (!ApplyProcessMitigationsToSuspendedProcess(target->Process(),
-                                                 mitigations_)) {
+  if (!ApplyProcessMitigationsToSuspendedTarget(target, mitigations_))
     return false;
-  }
 
   if (!SetupAllInterceptions(target))
     return false;