1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/src/win_utils.h"
6
7 #include <map>
8
9 #include "base/memory/scoped_ptr.h"
10 #include "sandbox/win/src/internal_types.h"
11 #include "sandbox/win/src/nt_internals.h"
12 #include "sandbox/win/src/sandbox_nt_util.h"
13
14 namespace {
15
16 // Holds the information about a known registry key.
17 struct KnownReservedKey {
18 const wchar_t* name;
19 HKEY key;
20 };
21
22 // Contains all the known registry key by name and by handle.
23 const KnownReservedKey kKnownKey[] = {
24 { L"HKEY_CLASSES_ROOT", HKEY_CLASSES_ROOT },
25 { L"HKEY_CURRENT_USER", HKEY_CURRENT_USER },
26 { L"HKEY_LOCAL_MACHINE", HKEY_LOCAL_MACHINE},
27 { L"HKEY_USERS", HKEY_USERS},
28 { L"HKEY_PERFORMANCE_DATA", HKEY_PERFORMANCE_DATA},
29 { L"HKEY_PERFORMANCE_TEXT", HKEY_PERFORMANCE_TEXT},
30 { L"HKEY_PERFORMANCE_NLSTEXT", HKEY_PERFORMANCE_NLSTEXT},
31 { L"HKEY_CURRENT_CONFIG", HKEY_CURRENT_CONFIG},
32 { L"HKEY_DYN_DATA", HKEY_DYN_DATA}
33 };
34
35 // Returns true if the provided path points to a pipe.
IsPipe(const base::string16 & path)36 bool IsPipe(const base::string16& path) {
37 size_t start = 0;
38 if (0 == path.compare(0, sandbox::kNTPrefixLen, sandbox::kNTPrefix))
39 start = sandbox::kNTPrefixLen;
40
41 const wchar_t kPipe[] = L"pipe\\";
42 return (0 == path.compare(start, arraysize(kPipe) - 1, kPipe));
43 }
44
45 } // namespace
46
47 namespace sandbox {
48
GetReservedKeyFromName(const base::string16 & name)49 HKEY GetReservedKeyFromName(const base::string16& name) {
50 for (size_t i = 0; i < arraysize(kKnownKey); ++i) {
51 if (name == kKnownKey[i].name)
52 return kKnownKey[i].key;
53 }
54
55 return NULL;
56 }
57
ResolveRegistryName(base::string16 name,base::string16 * resolved_name)58 bool ResolveRegistryName(base::string16 name, base::string16* resolved_name) {
59 for (size_t i = 0; i < arraysize(kKnownKey); ++i) {
60 if (name.find(kKnownKey[i].name) == 0) {
61 HKEY key;
62 DWORD disposition;
63 if (ERROR_SUCCESS != ::RegCreateKeyEx(kKnownKey[i].key, L"", 0, NULL, 0,
64 MAXIMUM_ALLOWED, NULL, &key,
65 &disposition))
66 return false;
67
68 bool result = GetPathFromHandle(key, resolved_name);
69 ::RegCloseKey(key);
70
71 if (!result)
72 return false;
73
74 *resolved_name += name.substr(wcslen(kKnownKey[i].name));
75 return true;
76 }
77 }
78
79 return false;
80 }
81
IsReparsePoint(const base::string16 & full_path,bool * result)82 DWORD IsReparsePoint(const base::string16& full_path, bool* result) {
83 base::string16 path = full_path;
84
85 // Remove the nt prefix.
86 if (0 == path.compare(0, kNTPrefixLen, kNTPrefix))
87 path = path.substr(kNTPrefixLen);
88
89 // Check if it's a pipe. We can't query the attributes of a pipe.
90 if (IsPipe(path)) {
91 *result = FALSE;
92 return ERROR_SUCCESS;
93 }
94
95 base::string16::size_type last_pos = base::string16::npos;
96
97 do {
98 path = path.substr(0, last_pos);
99
100 DWORD attributes = ::GetFileAttributes(path.c_str());
101 if (INVALID_FILE_ATTRIBUTES == attributes) {
102 DWORD error = ::GetLastError();
103 if (error != ERROR_FILE_NOT_FOUND &&
104 error != ERROR_PATH_NOT_FOUND &&
105 error != ERROR_INVALID_NAME) {
106 // Unexpected error.
107 NOTREACHED_NT();
108 return error;
109 }
110 } else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) {
111 // This is a reparse point.
112 *result = true;
113 return ERROR_SUCCESS;
114 }
115
116 last_pos = path.rfind(L'\\');
117 } while (last_pos != base::string16::npos);
118
119 *result = false;
120 return ERROR_SUCCESS;
121 }
122
123 // We get a |full_path| of the form \??\c:\some\foo\bar, and the name that
124 // we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar.
SameObject(HANDLE handle,const wchar_t * full_path)125 bool SameObject(HANDLE handle, const wchar_t* full_path) {
126 base::string16 path(full_path);
127 DCHECK_NT(!path.empty());
128
129 // Check if it's a pipe.
130 if (IsPipe(path))
131 return true;
132
133 base::string16 actual_path;
134 if (!GetPathFromHandle(handle, &actual_path))
135 return false;
136
137 // This may end with a backslash.
138 const wchar_t kBackslash = '\\';
139 if (path[path.length() - 1] == kBackslash)
140 path = path.substr(0, path.length() - 1);
141
142 // Perfect match (case-insesitive check).
143 if (0 == _wcsicmp(actual_path.c_str(), path.c_str()))
144 return true;
145
146 // Look for the drive letter.
147 size_t colon_pos = path.find(L':');
148 if (colon_pos == 0 || colon_pos == base::string16::npos)
149 return false;
150
151 // Only one character for the drive.
152 if (colon_pos > 1 && path[colon_pos - 2] != kBackslash)
153 return false;
154
155 // We only need 3 chars, but let's alloc a buffer for four.
156 wchar_t drive[4] = {0};
157 wchar_t vol_name[MAX_PATH];
158 memcpy(drive, &path[colon_pos - 1], 2 * sizeof(*drive));
159
160 // We'll get a double null terminated string.
161 DWORD vol_length = ::QueryDosDeviceW(drive, vol_name, MAX_PATH);
162 if (vol_length < 2 || vol_length == MAX_PATH)
163 return false;
164
165 // Ignore the nulls at the end.
166 vol_length = static_cast<DWORD>(wcslen(vol_name));
167
168 // The two paths should be the same length.
169 if (vol_length + path.size() - (colon_pos + 1) != actual_path.size())
170 return false;
171
172 // Check up to the drive letter.
173 if (0 != _wcsnicmp(actual_path.c_str(), vol_name, vol_length))
174 return false;
175
176 // Check the path after the drive letter.
177 if (0 != _wcsicmp(&actual_path[vol_length], &path[colon_pos + 1]))
178 return false;
179
180 return true;
181 }
182
ConvertToLongPath(const base::string16 & short_path,base::string16 * long_path)183 bool ConvertToLongPath(const base::string16& short_path,
184 base::string16* long_path) {
185 // Check if the path is a NT path.
186 bool is_nt_path = false;
187 base::string16 path = short_path;
188 if (0 == path.compare(0, kNTPrefixLen, kNTPrefix)) {
189 path = path.substr(kNTPrefixLen);
190 is_nt_path = true;
191 }
192
193 DWORD size = MAX_PATH;
194 scoped_ptr<wchar_t[]> long_path_buf(new wchar_t[size]);
195
196 DWORD return_value = ::GetLongPathName(path.c_str(), long_path_buf.get(),
197 size);
198 while (return_value >= size) {
199 size *= 2;
200 long_path_buf.reset(new wchar_t[size]);
201 return_value = ::GetLongPathName(path.c_str(), long_path_buf.get(), size);
202 }
203
204 DWORD last_error = ::GetLastError();
205 if (0 == return_value && (ERROR_FILE_NOT_FOUND == last_error ||
206 ERROR_PATH_NOT_FOUND == last_error ||
207 ERROR_INVALID_NAME == last_error)) {
208 // The file does not exist, but maybe a sub path needs to be expanded.
209 base::string16::size_type last_slash = path.rfind(L'\\');
210 if (base::string16::npos == last_slash)
211 return false;
212
213 base::string16 begin = path.substr(0, last_slash);
214 base::string16 end = path.substr(last_slash);
215 if (!ConvertToLongPath(begin, &begin))
216 return false;
217
218 // Ok, it worked. Let's reset the return value.
219 path = begin + end;
220 return_value = 1;
221 } else if (0 != return_value) {
222 path = long_path_buf.get();
223 }
224
225 if (return_value != 0) {
226 if (is_nt_path) {
227 *long_path = kNTPrefix;
228 *long_path += path;
229 } else {
230 *long_path = path;
231 }
232
233 return true;
234 }
235
236 return false;
237 }
238
GetPathFromHandle(HANDLE handle,base::string16 * path)239 bool GetPathFromHandle(HANDLE handle, base::string16* path) {
240 NtQueryObjectFunction NtQueryObject = NULL;
241 ResolveNTFunctionPtr("NtQueryObject", &NtQueryObject);
242
243 OBJECT_NAME_INFORMATION initial_buffer;
244 OBJECT_NAME_INFORMATION* name = &initial_buffer;
245 ULONG size = sizeof(initial_buffer);
246 // Query the name information a first time to get the size of the name.
247 NTSTATUS status = NtQueryObject(handle, ObjectNameInformation, name, size,
248 &size);
249
250 scoped_ptr<OBJECT_NAME_INFORMATION> name_ptr;
251 if (size) {
252 name = reinterpret_cast<OBJECT_NAME_INFORMATION*>(new BYTE[size]);
253 name_ptr.reset(name);
254
255 // Query the name information a second time to get the name of the
256 // object referenced by the handle.
257 status = NtQueryObject(handle, ObjectNameInformation, name, size, &size);
258 }
259
260 if (STATUS_SUCCESS != status)
261 return false;
262
263 path->assign(name->ObjectName.Buffer, name->ObjectName.Length /
264 sizeof(name->ObjectName.Buffer[0]));
265 return true;
266 }
267
GetNtPathFromWin32Path(const base::string16 & path,base::string16 * nt_path)268 bool GetNtPathFromWin32Path(const base::string16& path,
269 base::string16* nt_path) {
270 HANDLE file = ::CreateFileW(path.c_str(), 0,
271 FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL,
272 OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
273 if (file == INVALID_HANDLE_VALUE)
274 return false;
275 bool rv = GetPathFromHandle(file, nt_path);
276 ::CloseHandle(file);
277 return rv;
278 }
279
WriteProtectedChildMemory(HANDLE child_process,void * address,const void * buffer,size_t length)280 bool WriteProtectedChildMemory(HANDLE child_process, void* address,
281 const void* buffer, size_t length) {
282 // First, remove the protections.
283 DWORD old_protection;
284 if (!::VirtualProtectEx(child_process, address, length,
285 PAGE_WRITECOPY, &old_protection))
286 return false;
287
288 SIZE_T written;
289 bool ok = ::WriteProcessMemory(child_process, address, buffer, length,
290 &written) && (length == written);
291
292 // Always attempt to restore the original protection.
293 if (!::VirtualProtectEx(child_process, address, length,
294 old_protection, &old_protection))
295 return false;
296
297 return ok;
298 }
299
300 }; // namespace sandbox
301
302 // TODO(jschuh): http://crbug.com/11789
303 // I'm guessing we have a race where some "security" software is messing
304 // with ntdll/imports underneath us. So, we retry a few times, and in the
305 // worst case we sleep briefly before a few more attempts. (Normally sleeping
306 // would be very bad, but it's better than crashing in this case.)
ResolveNTFunctionPtr(const char * name,void * ptr)307 void ResolveNTFunctionPtr(const char* name, void* ptr) {
308 const int max_tries = 5;
309 const int sleep_threshold = 2;
310
311 static HMODULE ntdll = ::GetModuleHandle(sandbox::kNtdllName);
312
313 FARPROC* function_ptr = reinterpret_cast<FARPROC*>(ptr);
314 *function_ptr = ::GetProcAddress(ntdll, name);
315
316 for (int tries = 1; !(*function_ptr) && tries < max_tries; ++tries) {
317 if (tries >= sleep_threshold)
318 ::Sleep(1);
319 ntdll = ::GetModuleHandle(sandbox::kNtdllName);
320 *function_ptr = ::GetProcAddress(ntdll, name);
321 }
322
323 CHECK_NT(*function_ptr);
324 }
325