Hook GetUserDefaultLCID () to prevent crashes on attempting to connect to CSRSS after lockdown.

BUG=91216
TEST=None.
Review URL: http://codereview.chromium.org/7541034

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@95144 0039d316-1c4b-4281-b951-d872f2087c98

7 files changed, 36 insertions, 10 deletions

diff --git a/sandbox/src/handle_closer.cc b/sandbox/src/handle_closer.cc
index 3ac802e..a9778eb 100644
--- a/sandbox/src/handle_closer.cc
+++ b/sandbox/src/handle_closer.cc
@@ -159,8 +159,16 @@ bool HandleCloser::SetupHandleInterceptions(InterceptionManager* manager) {
   if (base::win::GetVersion() >= base::win::VERSION_VISTA &&
       names != handles_to_close_.end() &&
       (names->second.empty() || names->second.size() == 0)) {
-    return INTERCEPT_EAT(manager, kKerneldllName, CreateThread,
-                         CREATE_THREAD_ID, 28);
+    if (!INTERCEPT_EAT(manager, kKerneldllName, CreateThread,
+                       CREATE_THREAD_ID, 28)) {
+      return false;
+    }
+    if (!INTERCEPT_EAT(manager, kKerneldllName, GetUserDefaultLCID,
+                       GET_USER_DEFAULT_LCID_ID, 4)) {
+      return false;
+    }
+
+    return true;
   }
 
   return true;
diff --git a/sandbox/src/handle_closer_agent.cc b/sandbox/src/handle_closer_agent.cc
index 4e946f2..b640c08 100644
--- a/sandbox/src/handle_closer_agent.cc
+++ b/sandbox/src/handle_closer_agent.cc
@@ -56,13 +56,6 @@ bool HandleCloserAgent::CloseHandles() {
   const int kInvalidHandleThreshold = 100;
   const size_t kHandleOffset = sizeof(HANDLE);
 
-  // Need to warm up GetUserDefaultLangID first if we're closing ALPC clients.
-  HandleMap::iterator names = handles_to_close_.find(L"ALPC Port");
-  if (names != handles_to_close_.end() &&
-    (names->second.empty() || names->second.size() == 0)) {
-    ::GetUserDefaultLangID();
-  }
-
   if (!::GetProcessHandleCount(::GetCurrentProcess(), &handle_count))
     return false;
 
diff --git a/sandbox/src/interceptors.h b/sandbox/src/interceptors.h
index 3f690ae..67b0900 100644
--- a/sandbox/src/interceptors.h
+++ b/sandbox/src/interceptors.h
@@ -41,8 +41,9 @@ enum InterceptorId {
   // Sync dispatcher:
   CREATE_EVENT_ID,
   OPEN_EVENT_ID,
-  // CSRSS bypass for HandleCloser:
+  // CSRSS bypasses for HandleCloser:
   CREATE_THREAD_ID,
+  GET_USER_DEFAULT_LCID_ID,
   INTERCEPTOR_MAX_ID
 };
 
diff --git a/sandbox/src/interceptors_64.cc b/sandbox/src/interceptors_64.cc
index 8e43507..835818b 100644
--- a/sandbox/src/interceptors_64.cc
+++ b/sandbox/src/interceptors_64.cc
@@ -79,6 +79,12 @@ HANDLE WINAPI TargetCreateThread64(
                             thread_id);
 }
 
+LCID WINAPI TargetGetUserDefaultLCID64(void) {
+  GetUserDefaultLCIDFunction orig_fn = reinterpret_cast<
+      GetUserDefaultLCIDFunction>(g_originals[GET_USER_DEFAULT_LCID_ID]);
+  return TargetGetUserDefaultLCID(orig_fn);
+}
+
 // -----------------------------------------------------------------------
 
 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateFile64(
diff --git a/sandbox/src/interceptors_64.h b/sandbox/src/interceptors_64.h
index 5fc0a4b..b5134ed 100644
--- a/sandbox/src/interceptors_64.h
+++ b/sandbox/src/interceptors_64.h
@@ -50,6 +50,9 @@ SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateThread64(
     LPTHREAD_START_ROUTINE start_address, PVOID parameter,
     DWORD creation_flags, LPDWORD thread_id);
 
+// Interception of GetUserDefaultLCID on the child process.
+SANDBOX_INTERCEPT LCID WINAPI TargetGetUserDefaultLCID64();
+
 // -----------------------------------------------------------------------
 // Interceptors handled by the file system dispatcher.
 
diff --git a/sandbox/src/process_thread_interception.cc b/sandbox/src/process_thread_interception.cc
index 5a3119f..e98b588 100644
--- a/sandbox/src/process_thread_interception.cc
+++ b/sandbox/src/process_thread_interception.cc
@@ -424,4 +424,13 @@ HANDLE WINAPI TargetCreateThread(CreateThreadFunction orig_CreateThread,
   return thread;
 }
 
+// Cache the default LCID to avoid pinging CSRSS after lockdown.
+// TODO(jschuh): This approach will miss a default locale changes after
+// lockdown. In the future we may want to have the broker check instead.
+LCID WINAPI TargetGetUserDefaultLCID(
+    GetUserDefaultLCIDFunction orig_GetUserDefaultLCID) {
+  static LCID default_lcid = orig_GetUserDefaultLCID();
+  return default_lcid;
+}
+
 }  // namespace sandbox
diff --git a/sandbox/src/process_thread_interception.h b/sandbox/src/process_thread_interception.h
index e73689d..37c2c14 100644
--- a/sandbox/src/process_thread_interception.h
+++ b/sandbox/src/process_thread_interception.h
@@ -44,6 +44,8 @@ typedef HANDLE (WINAPI *CreateThreadFunction)(
     DWORD dwCreationFlags,
     LPDWORD lpThreadId);
 
+typedef LCID (WINAPI *GetUserDefaultLCIDFunction)();
+
 // Interception of NtOpenThread on the child process.
 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThread(
     NtOpenThreadFunction orig_OpenThread, PHANDLE thread,
@@ -88,6 +90,10 @@ SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateThread(
     LPTHREAD_START_ROUTINE start_address, PVOID parameter,
     DWORD creation_flags, LPDWORD thread_id);
 
+// Interception of GetUserDefaultLCID in kernel32.dll.
+SANDBOX_INTERCEPT LCID WINAPI TargetGetUserDefaultLCID(
+    GetUserDefaultLCIDFunction orig_GetUserDefaultLCID);
+
 }  // extern "C"
 
 }  // namespace sandbox