diff options
author | rvargas@chromium.org <rvargas@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-27 01:03:43 +0000 |
---|---|---|
committer | rvargas@chromium.org <rvargas@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-27 01:03:43 +0000 |
commit | 166a865e356b1841a1e3bf3b32bc5aaf13215f6e (patch) | |
tree | 6aeefbef7ebeb5eb1a232b6c88645da240d73a79 /sandbox | |
parent | 4cb7699e349fabe62f9b4af7894361c4334161f9 (diff) | |
download | chromium_src-166a865e356b1841a1e3bf3b32bc5aaf13215f6e.zip chromium_src-166a865e356b1841a1e3bf3b32bc5aaf13215f6e.tar.gz chromium_src-166a865e356b1841a1e3bf3b32bc5aaf13215f6e.tar.bz2 |
Base: Remove Receive() from ScopedHandle.
In general, the OS API contract doesn't guarantee that output variables are
not modified on failure, so a Reeceive pattern is fundamentally insecure.
BUG=318531
TEST=current tests
tbr'ing owners for the consumers.
TBR=jvoung@chromium.org, thakis@chromium.org, sergeyu@chromium.org, grt@chromium.org, gene@chromium.org, youngki@chromium.org
Review URL: https://codereview.chromium.org/71013004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@237459 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
-rw-r--r-- | sandbox/win/src/Wow64.cc | 5 | ||||
-rw-r--r-- | sandbox/win/src/job_unittest.cc | 5 | ||||
-rw-r--r-- | sandbox/win/src/policy_target_test.cc | 15 | ||||
-rw-r--r-- | sandbox/win/src/process_policy_test.cc | 24 | ||||
-rw-r--r-- | sandbox/win/src/restricted_token_utils.cc | 5 | ||||
-rw-r--r-- | sandbox/win/src/target_process.cc | 6 |
6 files changed, 37 insertions, 23 deletions
diff --git a/sandbox/win/src/Wow64.cc b/sandbox/win/src/Wow64.cc index 39108e5..a710d75 100644 --- a/sandbox/win/src/Wow64.cc +++ b/sandbox/win/src/Wow64.cc @@ -157,10 +157,11 @@ bool Wow64::RunWowHelper(void* buffer) { STARTUPINFO startup_info = {0}; startup_info.cb = sizeof(startup_info); - base::win::ScopedProcessInformation process_info; + PROCESS_INFORMATION temp_process_info = {}; if (!::CreateProcess(NULL, writable_command.get(), NULL, NULL, FALSE, 0, NULL, - NULL, &startup_info, process_info.Receive())) + NULL, &startup_info, &temp_process_info)) return false; + base::win::ScopedProcessInformation process_info(temp_process_info); DWORD reason = ::WaitForSingleObject(process_info.process_handle(), INFINITE); diff --git a/sandbox/win/src/job_unittest.cc b/sandbox/win/src/job_unittest.cc index 597c86c..3b2b331 100644 --- a/sandbox/win/src/job_unittest.cc +++ b/sandbox/win/src/job_unittest.cc @@ -164,10 +164,11 @@ TEST(JobTest, ProcessInJob) { wchar_t notepad[] = L"notepad"; STARTUPINFO si = { sizeof(si) }; - base::win::ScopedProcessInformation pi; + PROCESS_INFORMATION temp_process_info = {}; result = ::CreateProcess(NULL, notepad, NULL, NULL, FALSE, 0, NULL, NULL, &si, - pi.Receive()); + &temp_process_info); ASSERT_TRUE(result); + base::win::ScopedProcessInformation pi(temp_process_info); ASSERT_EQ(ERROR_SUCCESS, job.AssignProcessToJob(pi.process_handle())); // Get the job handle. diff --git a/sandbox/win/src/policy_target_test.cc b/sandbox/win/src/policy_target_test.cc index ee28260..1e29df2 100644 --- a/sandbox/win/src/policy_target_test.cc +++ b/sandbox/win/src/policy_target_test.cc @@ -150,10 +150,11 @@ SBOX_TESTS_COMMAND int PolicyTargetTest_process(int argc, wchar_t **argv) { // Use default values to create a new process. STARTUPINFO startup_info = {0}; startup_info.cb = sizeof(startup_info); - base::win::ScopedProcessInformation process_info; + PROCESS_INFORMATION temp_process_info = {}; if (!::CreateProcessW(L"foo.exe", L"foo.exe", NULL, NULL, FALSE, 0, - NULL, NULL, &startup_info, process_info.Receive())) + NULL, NULL, &startup_info, &temp_process_info)) return SBOX_TEST_SUCCEEDED; + base::win::ScopedProcessInformation process_info(temp_process_info); return SBOX_TEST_FAILED; } @@ -239,11 +240,14 @@ TEST(PolicyTargetTest, DesktopPolicy) { TargetPolicy* policy = broker->CreatePolicy(); policy->SetAlternateDesktop(false); policy->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN); + PROCESS_INFORMATION temp_process_info = {}; result = broker->SpawnTarget(prog_name, arguments.c_str(), policy, - target.Receive()); + &temp_process_info); policy->Release(); EXPECT_EQ(SBOX_ALL_OK, result); + if (result == SBOX_ALL_OK) + target.Set(temp_process_info); EXPECT_EQ(1, ::ResumeThread(target.thread_handle())); @@ -299,11 +303,14 @@ TEST(PolicyTargetTest, WinstaPolicy) { TargetPolicy* policy = broker->CreatePolicy(); policy->SetAlternateDesktop(true); policy->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN); + PROCESS_INFORMATION temp_process_info = {}; result = broker->SpawnTarget(prog_name, arguments.c_str(), policy, - target.Receive()); + &temp_process_info); policy->Release(); EXPECT_EQ(SBOX_ALL_OK, result); + if (result == SBOX_ALL_OK) + target.Set(temp_process_info); EXPECT_EQ(1, ::ResumeThread(target.thread_handle())); diff --git a/sandbox/win/src/process_policy_test.cc b/sandbox/win/src/process_policy_test.cc index babe321..a03e0be 100644 --- a/sandbox/win/src/process_policy_test.cc +++ b/sandbox/win/src/process_policy_test.cc @@ -50,8 +50,12 @@ sandbox::SboxTestResult CreateProcessHelper(const string16& exe, // Create the process with the unicode version of the API. sandbox::SboxTestResult ret1 = sandbox::SBOX_TEST_FAILED; - if (!::CreateProcessW(exe_name, const_cast<wchar_t*>(cmd_line), NULL, NULL, - FALSE, 0, NULL, NULL, &si, pi.Receive())) { + PROCESS_INFORMATION temp_process_info = {}; + if (::CreateProcessW(exe_name, const_cast<wchar_t*>(cmd_line), NULL, NULL, + FALSE, 0, NULL, NULL, &si, &temp_process_info)) { + pi.Set(temp_process_info); + ret1 = sandbox::SBOX_TEST_SUCCEEDED; + } else { DWORD last_error = GetLastError(); if ((ERROR_NOT_ENOUGH_QUOTA == last_error) || (ERROR_ACCESS_DENIED == last_error) || @@ -60,8 +64,6 @@ sandbox::SboxTestResult CreateProcessHelper(const string16& exe, } else { ret1 = sandbox::SBOX_TEST_FAILED; } - } else { - ret1 = sandbox::SBOX_TEST_SUCCEEDED; } pi.Close(); @@ -73,10 +75,13 @@ sandbox::SboxTestResult CreateProcessHelper(const string16& exe, std::string narrow_cmd_line; if (cmd_line) narrow_cmd_line = base::SysWideToMultiByte(cmd_line, CP_UTF8); - if (!::CreateProcessA( + if (::CreateProcessA( exe_name ? base::SysWideToMultiByte(exe_name, CP_UTF8).c_str() : NULL, cmd_line ? const_cast<char*>(narrow_cmd_line.c_str()) : NULL, - NULL, NULL, FALSE, 0, NULL, NULL, &sia, pi.Receive())) { + NULL, NULL, FALSE, 0, NULL, NULL, &sia, &temp_process_info)) { + pi.Set(temp_process_info); + ret2 = sandbox::SBOX_TEST_SUCCEEDED; + } else { DWORD last_error = GetLastError(); if ((ERROR_NOT_ENOUGH_QUOTA == last_error) || (ERROR_ACCESS_DENIED == last_error) || @@ -85,8 +90,6 @@ sandbox::SboxTestResult CreateProcessHelper(const string16& exe, } else { ret2 = sandbox::SBOX_TEST_FAILED; } - } else { - ret2 = sandbox::SBOX_TEST_SUCCEEDED; } if (ret1 == ret2) @@ -215,13 +218,14 @@ SBOX_TESTS_COMMAND int Process_GetChildProcessToken(int argc, wchar_t **argv) { string16 path = MakeFullPathToSystem32(argv[0]); - base::win::ScopedProcessInformation pi; STARTUPINFOW si = {sizeof(si)}; + PROCESS_INFORMATION temp_process_info = {}; if (!::CreateProcessW(path.c_str(), NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, - NULL, NULL, &si, pi.Receive())) { + NULL, NULL, &si, &temp_process_info)) { return SBOX_TEST_FAILED; } + base::win::ScopedProcessInformation pi(temp_process_info); HANDLE token = NULL; BOOL result = diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc index 5f1a246..f30a8a6 100644 --- a/sandbox/win/src/restricted_token_utils.cc +++ b/sandbox/win/src/restricted_token_utils.cc @@ -183,7 +183,7 @@ DWORD StartRestrictedProcessInJob(wchar_t *command_line, // Start the process STARTUPINFO startup_info = {0}; - base::win::ScopedProcessInformation process_info; + PROCESS_INFORMATION temp_process_info = {}; DWORD flags = CREATE_SUSPENDED; if (base::win::GetVersion() < base::win::VERSION_WIN8) { @@ -202,9 +202,10 @@ DWORD StartRestrictedProcessInJob(wchar_t *command_line, NULL, // Use the environment of the caller. NULL, // Use current directory of the caller. &startup_info, - process_info.Receive())) { + &temp_process_info)) { return ::GetLastError(); } + base::win::ScopedProcessInformation process_info(temp_process_info); // Change the token of the main thread of the new process for the // impersonation token with more rights. diff --git a/sandbox/win/src/target_process.cc b/sandbox/win/src/target_process.cc index 9300cce..a2d630c 100644 --- a/sandbox/win/src/target_process.cc +++ b/sandbox/win/src/target_process.cc @@ -131,8 +131,7 @@ DWORD TargetProcess::Create(const wchar_t* exe_path, flags |= CREATE_BREAKAWAY_FROM_JOB; } - base::win::ScopedProcessInformation process_info; - + PROCESS_INFORMATION temp_process_info = {}; if (!::CreateProcessAsUserW(lockdown_token_, exe_path, cmd_line.get(), @@ -143,9 +142,10 @@ DWORD TargetProcess::Create(const wchar_t* exe_path, NULL, // Use the environment of the caller. NULL, // Use current directory of the caller. startup_info.startup_info(), - process_info.Receive())) { + &temp_process_info)) { return ::GetLastError(); } + base::win::ScopedProcessInformation process_info(temp_process_info); lockdown_token_.Close(); DWORD win_result = ERROR_SUCCESS; |