Revert 162293 - Enable DEP earlier on Vista and below

We can't enable DEP at launch prior to Win7, but we can queue an APC to enable immediately after the loader finishes.

BUG=147752

Review URL: https://chromiumcodereview.appspot.com/10944015

TBR=jschuh@chromium.org
Review URL: https://codereview.chromium.org/11194027

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@162300 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 29 insertions, 29 deletions

diff --git a/sandbox/win/src/process_mitigations.cc b/sandbox/win/src/process_mitigations.cc
index c77ba38..f569479 100644
--- a/sandbox/win/src/process_mitigations.cc
+++ b/sandbox/win/src/process_mitigations.cc
@@ -6,9 +6,7 @@
 
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
 #include "sandbox/win/src/sandbox_utils.h"
-#include "sandbox/win/src/target_process.h"
 #include "sandbox/win/src/win_utils.h"
 
 namespace {
@@ -24,11 +22,6 @@ typedef BOOL (WINAPI *SetProcessMitigationPolicyFunction)(
 typedef BOOL (WINAPI *SetDefaultDllDirectoriesFunction)(
     DWORD DirectoryFlags);
 
-void CALLBACK ApplyMitigationsCallback(ULONG_PTR flags) {
-  if (!sandbox::ApplyProcessMitigationsToCurrentProcess(flags))
-    ::TerminateProcess(::GetCurrentProcess(), sandbox::SBOX_FATAL_MITIGATION);
-}
-
 }  // namespace
 
 namespace sandbox {
@@ -252,24 +245,42 @@ void ConvertProcessMitigationsToPolicy(MitigationFlags flags,
 }
 
 MitigationFlags FilterPostStartupProcessMitigations(MitigationFlags flags) {
+  // Anything prior to XP SP2.
+  if (!IsXPSP2OrLater())
+    return 0;
+
   base::win::Version version = base::win::GetVersion();
 
+  // Windows XP SP2+.
   if (version < base::win::VERSION_VISTA) {
-    return 0;
+    return flags & (MITIGATION_DEP |
+                    MITIGATION_DEP_NO_ATL_THUNK);
+
+  // Windows Vista
+  if (version < base::win::VERSION_WIN7) {
+    return flags & (MITIGATION_DEP |
+                    MITIGATION_DEP_NO_ATL_THUNK |
+                    MITIGATION_BOTTOM_UP_ASLR |
+                    MITIGATION_DLL_SEARCH_ORDER |
+                    MITIGATION_HEAP_TERMINATE);
+  }
 
+  // Windows 7 and Vista.
   } else if (version < base::win::VERSION_WIN8) {
-    return flags & (MITIGATION_DLL_SEARCH_ORDER |
+    return flags & (MITIGATION_BOTTOM_UP_ASLR |
+                    MITIGATION_DLL_SEARCH_ORDER |
                     MITIGATION_HEAP_TERMINATE);
   }
 
   // Windows 8 and above.
-  return flags & (MITIGATION_DLL_SEARCH_ORDER);
+  return flags & (MITIGATION_BOTTOM_UP_ASLR |
+                  MITIGATION_DLL_SEARCH_ORDER);
 }
 
-bool ApplyProcessMitigationsToSuspendedTarget(TargetProcess* target,
-                                              MitigationFlags flags) {
+bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process,
+                                               MitigationFlags flags) {
+// This is a hack to fake a weak bottom-up ASLR on 32-bit Windows.
 #if !defined(_WIN64)
-  // This is a hack to fake a weak bottom-up ASLR on 32-bit Windows.
   if (flags & MITIGATION_BOTTOM_UP_ASLR) {
     unsigned int limit;
     rand_s(&limit);
@@ -277,7 +288,6 @@ bool ApplyProcessMitigationsToSuspendedTarget(TargetProcess* target,
     const size_t kMask64k = 0xFFFF;
     // Random range (512k-16.5mb) in 64k steps.
     const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k);
-    HANDLE process = target->Process();
     while (ptr < end) {
       MEMORY_BASIC_INFORMATION memory_info;
       if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
@@ -289,16 +299,6 @@ bool ApplyProcessMitigationsToSuspendedTarget(TargetProcess* target,
       ptr += size;
     }
   }
-
-  // Since the process is suspended, we can schedule an APC to set the DEP
-  // policy immediately after then loader finishes.
-  ULONG_PTR dep_flags = flags & (MITIGATION_DEP | MITIGATION_DEP_NO_ATL_THUNK);
-  if (dep_flags && base::win::GetVersion() < base::win::VERSION_WIN7) {
-    if (!::QueueUserAPC(ApplyMitigationsCallback, target->MainThread(),
-                        static_cast<ULONG_PTR>(dep_flags))) {
-      return false;
-    }
-  }
 #endif
 
   return true;
diff --git a/sandbox/win/src/process_mitigations.h b/sandbox/win/src/process_mitigations.h
index 4089b6d..9039ad6 100644
--- a/sandbox/win/src/process_mitigations.h
+++ b/sandbox/win/src/process_mitigations.h
@@ -12,8 +12,6 @@
 
 namespace sandbox {
 
-class TargetProcess;
-
 // Sets the mitigation policy for the current process, ignoring any settings
 // that are invalid for the current version of Windows.
 bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags);
@@ -31,8 +29,8 @@ void ConvertProcessMitigationsToPolicy(MitigationFlags flags,
 
 // Adds mitigations that need to be performed on the suspended target process
 // before execution begins.
-bool ApplyProcessMitigationsToSuspendedTarget(TargetProcess* target,
-                                              MitigationFlags flags);
+bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process,
+                                               MitigationFlags flags);
 
 // Returns true if all the supplied flags can be set after a process starts.
 bool CanSetProcessMitigationsPostStartup(MitigationFlags flags);
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc
index d56effb..10ac642 100644
--- a/sandbox/win/src/sandbox_policy_base.cc
+++ b/sandbox/win/src/sandbox_policy_base.cc
@@ -482,8 +482,10 @@ bool PolicyBase::AddTarget(TargetProcess* target) {
   if (NULL != policy_)
     policy_maker_->Done();
 
-  if (!ApplyProcessMitigationsToSuspendedTarget(target, mitigations_))
+  if (!ApplyProcessMitigationsToSuspendedProcess(target->Process(),
+                                                 mitigations_)) {
     return false;
+  }
 
   if (!SetupAllInterceptions(target))
     return false;