Fix small race in the sandbox

DuplicateHandle with DUPLICATE_CLOSE_SOURCE always closes the handle, right now on failure
we close it which means we are closing an invalid handle or closing some other handle in
the small race window.

Reported by Ashutosh Mehra from Adobe.

BUG=233251
TEST=none

Review URL: https://chromiumcodereview.appspot.com/13912024

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@195029 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 4 insertions, 9 deletions

diff --git a/sandbox/win/src/filesystem_policy.cc b/sandbox/win/src/filesystem_policy.cc
index b3eddab..02707b0 100644
--- a/sandbox/win/src/filesystem_policy.cc
+++ b/sandbox/win/src/filesystem_policy.cc
@@ -49,7 +49,6 @@ NTSTATUS NtCreateFileInTarget(HANDLE* target_file_handle,
   if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                          target_process, target_file_handle, 0, FALSE,
                          DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
     return STATUS_ACCESS_DENIED;
   }
   return STATUS_SUCCESS;
diff --git a/sandbox/win/src/named_pipe_policy.cc b/sandbox/win/src/named_pipe_policy.cc
index 470e823..0f620b1 100644
--- a/sandbox/win/src/named_pipe_policy.cc
+++ b/sandbox/win/src/named_pipe_policy.cc
@@ -28,10 +28,10 @@ HANDLE CreateNamedPipeHelper(HANDLE target_process, LPCWSTR pipe_name,
     return pipe;
 
   HANDLE new_pipe;
-  if (!::DuplicateHandle(::GetCurrentProcess(), pipe, target_process, &new_pipe,
-                         0, FALSE, DUPLICATE_CLOSE_SOURCE |
-                             DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(pipe);
+  if (!::DuplicateHandle(::GetCurrentProcess(), pipe,
+                         target_process, &new_pipe,
+                         0, FALSE,
+                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
     return INVALID_HANDLE_VALUE;
   }
 
diff --git a/sandbox/win/src/registry_policy.cc b/sandbox/win/src/registry_policy.cc
index 55f3bcd..37e6ddb 100644
--- a/sandbox/win/src/registry_policy.cc
+++ b/sandbox/win/src/registry_policy.cc
@@ -78,7 +78,6 @@ NTSTATUS NtCreateKeyInTarget(HANDLE* target_key_handle,
   if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                          target_process, target_key_handle, 0, FALSE,
                          DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
     return STATUS_ACCESS_DENIED;
   }
   return STATUS_SUCCESS;
@@ -106,7 +105,6 @@ NTSTATUS NtOpenKeyInTarget(HANDLE* target_key_handle,
   if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                          target_process, target_key_handle, 0, FALSE,
                          DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
     return STATUS_ACCESS_DENIED;
   }
   return STATUS_SUCCESS;
diff --git a/sandbox/win/src/sync_policy.cc b/sandbox/win/src/sync_policy.cc
index 926fc52..87ef0bd 100644
--- a/sandbox/win/src/sync_policy.cc
+++ b/sandbox/win/src/sync_policy.cc
@@ -80,7 +80,6 @@ DWORD SyncPolicy::CreateEventAction(EvalResult eval_result,
   if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                          client_info.process, handle, 0, FALSE,
                          DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
     return ERROR_ACCESS_DENIED;
   }
   return ERROR_SUCCESS;
@@ -105,7 +104,6 @@ DWORD SyncPolicy::OpenEventAction(EvalResult eval_result,
   if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                          client_info.process, handle, 0, inherit_handle,
                          DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
     return ERROR_ACCESS_DENIED;
   }
   return ERROR_SUCCESS;